All change: Internal audit and disruption
Organisations face disruption constantly from multiple sources, but few would argue that the events of the past year have caused unparalleled disruption for businesses, sectors and markets across the globe. However, disruption, as we have seen in periods of war, rapid industrialisation or technological change, brings opportunities as well as threats. Internal audit is in a unique position to help identify both and to support businesses so they emerge stronger and more resilient from such disruptive periods – but do internal auditors feel equipped and prepared to do so?
The Chartered IIA partnered with Protiviti to host a series of roundtables in the early months of this year and interviewed chief audit executives (CAEs) across a range of private- and public-sector organisations to find out how their organisations and internal audit have fared during the pandemic and what they have learnt from the experience. They discussed what, if anything, they would do differently if and when the next major disruptive event strikes, and what the disruption has caused them to do differently that they intend to continue doing into the future.
Although the pandemic was the most obvious cause of recent disruption, the questions were intended to draw out lessons from disruption in general, from every source. Significantly, 72 per cent said their organisation had been affected by disruption from a cause other than the pandemic.
Fast and flexible
Although experiences varied widely according to sector and market, some common themes quickly emerged. Most of the efficiency gains and innovations mentioned have been touted as desirable in the long term, but respondents generally believed that the crisis prompted (and enabled) them to move to a higher level more rapidly than they expected – in particular, many mentioned faster, more focused and flexible internal audit planning and reporting processes.
Speed and agility were a critical element in many positive experiences and outcomes. Interviewees in all sectors marvelled at the way in which their teams had moved to remote working almost overnight in the first lockdown – echoing Lenin’s famous statement that there are decades where nothing happens; and there are weeks where decades happen. “If you had told me we would all be able to work remotely a year ago, I would have said it was impossible,” said one. Another agreed: “If we had embarked on a project to move everyone to remote working, I would have said that it would take about 18 months.”
The pandemic has also proved a bonding experience, despite the challenges of managing and inducting people via Zoom or Teams. “I am so proud of my team!” was a common refrain. This makes it unsurprising that communication and staff wellbeing were highlighted as key concerns – reinforcing the emphasis on “soft” skills, leadership and effective communication as vital components in internal audit’s toolkit, both within internal audit teams and for increasing the function’s impact with management.
Many also said that internal audit’s reputation and relationships within the organisation had improved, and most welcomed more requests for support from management. While resources are finite, heads of audit generally saw this as good for the profession and hoped to meet the new demand by providing more short, focused reports, and by working collaboratively with colleagues and the wider stakeholder community. Others commented explicitly on the benefits of increased management appreciation of their role and of the importance of good governance, risk management and internal control across the organisation.
Technology has clearly played an important part in enabling internal audit to continue working effectively during lockdowns, whether auditors were doing full audits or supporting the business with consultative and real-time assurance work. As entire teams have begun to work virtually, their familiarity with, and confidence using, technology has increased. Interviewees not only wanted to hold on to existing gains, but planned to build on these and incorporate more data and automated systems, more quickly, in future.
On the horizon
When asked about organisations having to take more risks to survive in a riskier world, 66 per cent of roundtable attendees believed that internal audit is capable of assessing, and commenting on, the balance between internal and external risks, which would inform their contribution to the impact of future disruption events (such as climate change, financial liquidity problems, cyber security attacks and challenges to their organisation’s sustainability).
Interviewees and attendees at the roundtables agreed that internal audit needs to continue to develop and improve its ability to scan the horizon for emerging risks, regardless of how well their organisation had predicted and responded to the pandemic. Some said they had learnt lessons about paying more attention to what was happening in other parts of the world, even when their business was not directly affected. Others enthused about new opportunities for collaboration and sharing knowledge that had made them feel more integrated in the wider internal audit profession, such as the Chartered IIA’s forums.
View from Mark Peters, managing director of Protiviti UK
“Protiviti’s annual survey of C-level executives and directors’ perspectives on macroeconomic, strategic and operational risks, highlights the influence of the Covid-19 pandemic, the economy, digital technology, talent and organisational resiliency on the risk landscape over the near term. It’s essential we prepare ahead and embrace the global megatrends, for the future may arrive sooner than you think.
Boards are considering disruptive forces in evaluating their risk oversight focus in the coming years in the context of the company’s risks inherent in its operations. If senior leadership has not identified or prioritised these issues as matters to consider in managing the business going forward, internal audit should consider their relevance to the company’s strategy and ask why not.
The internal audit profession has also experienced significant and positive changes over the past few years, which have only accelerated during the pandemic. CAEs and their teams are experiencing the rapid adoption of technology and evolving business models underpinning the importance for them to develop and advance next-generation components relating to knowledge and skillsets in governance, methodology and enabling technology.
Most internal audit groups we see are just starting on this journey. Developing a next-generation internal audit function requires changes to processes, skills, and technology – and these take time to develop.
The vision for internal audit will also change as new business objectives, risks and technologies, materialise. For this reason, an effective next-generation function will be adaptable: flexible enough to respond to disruptions that can’t be seen today but will definitely arrive tomorrow.”
Mark Peters is MD, internal audit & financial advisory, at Protiviti UK.
This article was published in July 2021.