View from the top: Expectations - trust, balance and influence

Over the past year, many organisations have adapted in ways and at a speed we could never have foreseen even two years ago. The pace of technological development and innovation has changed, and is continuing to change the way we interact with customers, stakeholders and the wider public. Many organisations are going through some kind of transformation even if they do not realise it.

Business and service models, working models, behavioural models, profitability models and, in many cases, market environment and opportunity have also changed or are changing. This has accelerated some digital transformations already under way and raised awareness of the opportunities and risks associated with data mining, analytics, artificial intelligence (AI) and robotics. This is in addition to increasing corporate governance focus on cyber security, social purpose, culture, behaviour, environmental, social and governance (ESG) issues, privacy and reporting.

All of these have short-term and long-term implications for an organisation’s risk appetite and control framework, and for its relationships with its stakeholders. Some companies see these as current risks, while others regard them as emerging ones.

The question I ask internal auditors is how much time they are spending on these areas. For example, have you completed an audit on culture, AI, business transformation or ESG? Have you discussed with the leadership team how they perceive these risks? Do you have a view on how these affect your organisation and its control structure? Are they today’s risks or tomorrow’s risks in your organisation?

To deal with the challenges we now face, chief audit executives (CAEs) need to look at themselves, their mandate, relationships, skill sets and teams. Internal audit should be invaluable to organisations at the moment, not just to ensure that the short-term, stressed control environment is sound, but also that the new or emerging risks their organisation faces are well understood, and the culture and control environments are developing accordingly.

One of the audit committee’s responsibilities is to ensure there is a system of controls in the organisation that is appropriate and working effectively. The board has to give an opinion on this in the annual report. The audit committee therefore spends significant time focusing on control and assurance. In a typical meeting, we would look not just at major accounting judgments and reporting, but also at the general control status of the organisation. Internal audit has an important role to play.

The CAE’s role is key in an organisation and to the audit committee. As an audit committee chair, I have several expectations of a CAE. One important element is personal – trust. We need an open, honest relationship. I don’t want just to receive 100 audit reports, but also to hear what the CAE thinks.

If you put all the audits together and look at all the risks in the context of the whole organisation, what do you really think? What are the organisation’s capabilities? Where are the gaps? Where are the weaknesses – and are these critical, non-critical, getting better or getting worse?

I need a whole view so that I can understand how the organisation is coping not just with today’s risks, but with those of tomorrow. Is our pace of transformation too fast or too slow for the general control environment? Pace is a huge burden for organisations, so getting a view on the pace at which we are going is an important part of this relationship. The CAE’s view is important and helps to calibrate the views of the CEO and leadership team. 

I also expect balance and influence. It’s one thing to write everything up and another to identify the most important elements. The CAE must assure me and the committee that the control structure of the organisation is keeping pace with organisational capabilities and is working effectively.

Audit planning and measurement systems are vital here and it’s helpful to opine not just on control effectiveness, but also on the culture of control; a one-dimensional grading assessment may no longer be enough in complex organisations. I expect the CAE to understand the wider context within which the organisation operates, as this can change rapidly, in which case the inherent risks also change. We may be fine one day and not the next if, for example, public, government or market expectation changes.

I expect the CAE to have a relationship with the CEO, board members and other senior leaders and I see the role as part of an axis of control within the organisation. To aid this, it is critical the CAE and the role of internal audit is credible and respected and I would advise internal audit to lead by example. It’s difficult to criticise others and offer your opinions in a changing environment if you are not evolving and developing yourself.

Internal audit is often a relatively small team, so it may be in a good position to pioneer new ways of working, especially with data analytics. I see senior internal audit roles as stepping stones to leadership positions in the organisation, and internal audit roles as key postings for developing executives.

Last, but not least, I’d like the CAE to be a futurist, able to express their views and give value-added opinions not just on the situation today, but on our preparation for tomorrow.

I ask CAEs to look at their organisations and the position of internal audit and to assure themselves and their audit committees that they are mandated and structured to cover, not just today’s risks, but the emerging risks facing their organisations. Internal audit provides a fantastic insight into almost every aspect of an organisation, so enjoy what you do, add value, piece it all together, and it should be a great springboard for your future career.

John Devine spoke to the Chartered IIA’s Heads of Internal Audit Forum in February. Notes of his talk and of others are available on the institute’s website.

This article was first published in March 2021.