By Tom O'Reilly
8 May 2017
It is not uncommon for CAEs to read thought leadership that highlights internal audit’s inability to meet stakeholder expectations and room for improvement (e.g. here, here, and here). While these insights may provide specific examples of what internal auditors should do to improve their perceptions, the “how-to” of these articles usually include recommendations that indirectly infer the thought leader should be hired to fix the problem.
While these improvement opportunities were top of mind during the CAE Leadership Forum’s August meeting, it was equally refreshing and exciting event panelists Rob Goldberg, Partner at Sunera, and Norman Marks, Internal Audit author and semi-retired CAE, share their perspectives on what internal auditors can change today to improve our stakeholder’s perceptions.
Of the many lessons learned during their presentations, Rob and Norman shared six best practices that world-class internal audit departments and CAEs use that, if implemented or acted on, would help other CAEs be more effective and leave their Audit Committees more satisfied with their internal auditors.
1. Internal Audit’s Role in Risk Management
What should Internal Audit be doing as it relates to the management of risk? Norman believes there are multiple things CAEs can do.
First, the CAE can seek to understand how the organization identifies risk and manages uncertainty in their organization. One of the biggest risks an organization can face is its inability to identify and respond to risk events. The CAE can, and should, provide an assessment of how the organization manages risk to the organization’s board of directors.
A CAE can also meet with business managers to better understand what they spend the majority of their time on, and how that helps or hinders the organization to achieve its objectives. To help facilitate early discussions, the CAE can share and discuss relevant articles or thought leadership with business managers, or discuss any adverse effects that could be experienced as the result of changes to people, processes, or technologies.
The CAE’s ultimate goal is to provide relevant information to the people who may need it the most. After multiple meetings, the CAE should be more knowledgeable and versed on how the organization’s main risks are managed, and be better equipped to provide insight and perspectives to business managers in future meetings.
2. Implementing a Continuous Risk Monitoring Process without Breaking the Bank
Upon contrary belief, thousands of dollars do not need to be spent on application and license fees for risk and internal audit professionals to carry out their risk-related responsibilities.
According to Rob, in order for internal auditors to move towards a continuous risk monitoring process, they need to be able to receive, and provide, risk updates in real time. Prior to his role at Sunera, Rob was a Vice President in Walmart’s internal audit department. To continuously monitor risk, Rob assigned his direct reports and other internal audit managers to maintain different relationships with business managers across the globe.
After each meeting, every team member would document their meeting notes on a Walmart shared drive, and highlight key words and topics discussed. That way, when another team member is preparing for a new meeting with a business manager, they can search the shared drive for key terms and topics they may discuss, and find more relevant and timely information to share.
And Norman agrees. To continuously monitor risks, internal auditors need to have regular business oriented contact with executives. And to be able to meet with executives regularly, internal auditors need to share relevant business insights from what has been learned elsewhere in the organization.
3. Risk Resources Worth Considering
Now that the CAE has a much better appreciation on how to carry-out risk management and continuous risk monitoring activities, what resources can be leveraged to find information to help facilitate a risk discussion and program?
While Norman did not mention it during his remarks, first and foremost, every risk and internal audit practitioner should read World Class Risk Management, authored by Norman. His book is, in my opinion, the best guidance available for individuals to help organizations better manage risks by making more informed business decisions. And yes, it really is that easy to buy it on Amazon.
Norman did however, mention a number of methods and resources CAEs, Internal Auditors, and risk practitioners can use to help them carry-out their responsibilities. First, he recommended that everyone should have, and continually nurture and develop, their own network of other Internal Audit, risk, and business professionals. Conversations are usually the quickest and easiest way to understand how different organizations may have resolved a similar problem.
Other resources Norman recommended to the audience included the Open Compliance and Ethics Group (www.oceg.org) , the IIRC (http://integratedreporting.org/), Deloitte’s Risk Angles Series, and risk related thought leadership published by Accenture.
I would also add Norman’s twitter feed (https://twitter.com/normanmarks) for interesting and relevant business events and articles, and Norman’s blog (www.normanmarks.wordpress.com) as two invaluable risk resources. If these are not enough, you can also find six more risk resources to consider using here.
4. Aligning Internal Audit’s Mission Statement and Value
Most internal audit departments have mission statements that reinforce why the function is there, and they usually revolve around helping the success of the business. However, when you read most audit reports, the output, or value provided, does not necessarily reflect the mission statements. They usually what is wrong, and what will be done to fix it.
Rob challenged the audience to improve our alignment by considering a change to the way we communicate. Instead of focusing on “here’s what’s wrong”, the focus should be on “here is how you can operate more efficiently”, or “here is what will go wrong in the future if we don’t make a change now”. Answers to these forward looking questions should better align the value provided by internal audit with what is promised in their mission statement.
Additionally, Rob recommended that Internal Auditors, and CAEs, will improve their ability to persuade and influence when we stop using internal audit jargon in our communications. Internal communications, especially to the audit committee, need to include less audit speak, and more business terms used by your organization.
5. Audit Reporting – Less is More
Speaking of audit reporting, why are audit reports so long? In my short time, I’ve seen and heard of examples of egregiously long audit reports. One that comes to mind would take 10 – 15 pages to summarize all of the audit procedures performed, and in certain instances, not have any issues to report. I’ve also heard partners at internal audit co-sourcing firms exclaim that their internal audit reports do not contain useful information to a client gets to the sixth page of the audit report.
Norman mentioned that the Institute of Internal Auditor (IIA) standards do not require internal auditors to write an audit report. Most organizations require their Internal Audit team to communicate the results of their engagement. To fulfill this requirement, Norman instructed that internal audit should seek to understand what their audience needs to know, and why.
Rob added that CAEs should ask themselves the following question: What can we stop including in our audit reports that will not affect the value we provide to our stakeholders? If we look introspectively, a CAE could probably easily cut out 30 – 40% of the information included in the audit report without affecting our customer.
Potential areas to remove or significantly reduce could include the background, scope, and objectives sections of the audit reports. If an audit report uses the issue / business risk / recommendation /action plan format, CAEs could consider removing the recommendation altogether, if the agreed to action plan sufficiently remediates the issue. And finally, if an audit issue does not highlight a significant risk to the organization, the CAE should question whether or not it needs to be reported at all.
As an aside, if you do want to add more information to an audit report, considering giving credit where credit is due. Norman mentioned that for engagements where managers and team members were found to be adequately managing their risks, he would highlight the individuals, by name, in the audit report. This gave the opportunity for internal audit to spread their goodwill, and even provided opportunities for executive managers, including the CEO, to thank employees for a job well done.
6. Be Project, not Process Oriented
When asked about potential future changes to the Internal Audit industry, Norman explained that mature internal audit departments, and their projects, will become more project focused, and not necessarily process focused.
To illustrate, he explained that Apple’s CAE makes it a point to hire risk-oriented project management professionals as internal auditors. Because of their risk and project management expertise, Apple’s internal auditors are embedded in different organizational projects and initiatives. If a project executive made a change that could result in an unacceptable level of risk, the internal auditor would bring it to their attention. And if they disagreed on their response, executive management would be involved.
To carry the point forward, also keep in mind that most strategic initiatives of an organization usually involve a special project team to work on and succeed. Those CAEs who seek to identify these types of projects, and align their audit plan with work catered to these projects, should have a much more risk-focused audit plan than the CAE who has a rotation of processes her team audits every three years.
Article by Tom O'Reilly, Vice President and General Manager of Internal Audit and Seminars at MISTI.