By Tom O'Reilly
25 May 2017
One telling sign of a maturing internal audit department is when the CAE proposes audit topics that are organizationally-focused around key projects and initiatives (e.g. evaluating the make-or-buy decision for a material for a key part or performing an assessment of a recent new product introduction) versus a generic audit topic (e.g. payroll or procurement cards).
To identify and muster support for performing more risk-focused internal audit projects, the CAE will need to do more than just analyze large account balances or speak to different department managers.
Chief Audit Executives who use one or more of the following sources to identify risks relevant to their organization should be able to propose a more targeted and robust audit plan that is more closely aligned to their organization’s largest risks.
1. Competitor Earnings Calls
In addition to providing an analysis of the organization’s financial results, earnings calls provide information on the focus of a competitor’s management team, including new products, partnerships, or markets to enter. Useful information may also be found in management’s answers to analysts and investors’ questions. These conversations at the end of the call normally focus on areas that may cause future problems for that management team, which in turn may be something you would want to keep in mind yourself.
2. Front-line Sales Staff
If ever there was a source to identify true pain points in an organization, it is the sales team. Sales staff are usually quick to identify and vocalize, non-value add administrative items that keep them from spending more time with customers and business leads. These activities could be a risk to the organization’s top line growth.
Common problem areas sales people may mention could revolve around marketing, shipping, expense budgets, and compensation. Some of these problems could be improved after having been audited, (perhaps marketing and shipping), and some may not, (increasing expense budgets and compensation).
Regardless of what you learn, developing relationships with Sales employees is a sure-fire way to understand why customers buy or don’t buy, from your organization, and how Internal Audit can help the revenue producing entities of the organization. And when Internal Auditors start having more of these types of conversations, it will be easier for some to see that we’re the good folks!
It’s disappointing to hear so many internal auditors quickly dismiss the idea of using Twitter, both personally and professionally. “I have nothing to say”, “I’m fine getting my news the way I do now.” Ugh! How are we supposed to be change agents if we don’t change ourselves?
Twitter is a social media tool that aggregates news from people and organizations you specifically choose to hear more from. For example, historically, if you wanted to better understand compliance and ethics-related risks, you would have to visit websites such as Compliance Week, OCEG, and the Wall Street Journal, to find, or pull, information relevant to you.
Using Twitter, you can subscribe to these organizations’ profiles (Compliance Week and OCEG), and have them send, or push, articles and updates of interest to them. To boot, you can also choose to follow their key contributors (Matt Kelly and Tammy Whitehouse at Compliance Week and Carole Switzer at the OCEG to name a few), to receive updates on articles and research that they find interesting. Using Twitter as a news source for risk events other organizations are dealing with allow for an efficient way to understand the conversation of the risk topic.
4. Other Chief Audit Executives
This seems like a no-brainer, but I would wager that most CAEs probably do not spend adequate time networking with other CAEs. Besides providing an understanding shoulder to cry on, exchanging ideas with other CAEs is a great way to learn not only how the organization identified the risk, but what the CAE did in response to it.
How do you get in touch with CAEs? It is a lot easier than you may think. One way is to find industry peers on Linkedin. Include the competitor’s organization’s name in the search box with the word “audit”, and chances are, if the CAE is on Linkedin, they will populate in your search. If the CAE’s email address is not included in their profile, then you should be able to send them a message via Linkedin.
Another way to connect with CAEs is to attend any of the Institute of Internal Auditors (IIA’s) or MIS Training institute’s training conferences. Chances are, the CAE is not with anyone from their team, and they are looking to network. The true benefit of these conferences is the opportunity to network, not be taught by your new connection. The CAE that keeps their questions to a minimum, and looks to help their new acquaintance will probably get more out of the new relationship than others.
5. Retired Employees
Retired employees may have been long-standing employees of the organization, some of which have been with the organization for longer than 30 or 40 years. Retirees may be stewards of the organization’s history may sometimes be quickly forgotten by their peers in their department soon after leaving the organization.
Not only may they be open to answering questions, but depending on the managerial level of the organization they were last in, they may also share information about other executives’ management styles, inner workings of different business units, or poor relationships with key customers who may be at risk of being lost. If the retired employee left on good terms, it should be fairly simple to obtain their contact information within their last department.
6. Internal Audit Vendors
Internal Audit vendors are pre-validated risk sources. Why? Because CAEs pay them to help with significant business problems! Internal Audit vendors can not only provide context of their area of expertise, but also context on how other organizations are handling the problem, how the problem came to fruition, and the event that warranted Internal Audit’s involvement.
The best internal audit vendors understand that the more they inform and educate, the more likely they are to earn a CAE’s business. If you find an open and informative vendor, treat them nice, and be quick to refer them others in your network. You’ll be surprised how much information you receive because of it.
The next time you attend a conference, consider skipping one or two sessions to spend time with the vendors exhibiting at the conference. You’ll be able to spend more time with each vendor, and more likely to have a one-on-one conversation. Chances are, you’ll also have the opportunity to make a personal connection, opposed to being just another face in the crowd during the conference breaks.
Ready, Set, Go!
As most fiscal year ends quickly approach, many CAE’s will begin focusing more time on the risk identification and assessment process with a goal of proposing next year’s internal audit plan. Chief Audit Executives who implement one or more of these risk sources to their daily activities should be more in-tune with their business and industry trends, and more likely to identify relevant organizational risks. And those CAEs who carry-out risk-based audits are more likely to enable positive change by providing assurance and feedback on processes that manage these important risks.
Article by Tom O'Reilly, Vice President and General Manager of Internal Audit and Seminars at MISTI.