Is your strategy evolving internal audit?
This article looks at key issues for you as audit leaders to include in your internal audit strategy. They are all instrumental in supporting the continued evolution of your function and the overall profession.
The strategic planning process will feature on many audit plans as it is critical to the future success of an organisation – its integrity, relevance to external conditions, consideration of options and appropriateness of underlying assumptions. But what of your own internal audit strategy – do you give it the same scrutiny? It is a requirement of the Global Standards.
Evolution without strategy?
In our ever changing world, traditional 3-5 year audit strategies may seem outdated, yet without a framework for change there are risks. Firstly that internal audit is misaligned to the organisations strategy and secondly that change activity becomes a substitution of one thing for another without evolution or transformation. Leadership is about direction and a strategy clearly demonstrates to stakeholders how internal audit will meet and aim to exceed their needs.
A driver planning a journey from Aberdeen to Swansea will have a route in mind although will undoubtedly need to adapt due to traffic disruptions along the way. This may change plans for fuel stops and comfort breaks, encounter a few wrong turns or lead to unexpected opportunities that delay the journey, but still reaching the intended destination. The trusty sat nav supports the driver in their journey once programmed with an endpoint much like a strategy with its goal and purpose can guide a CAE.
With ever increasing demands on internal audit, what CAE has the time to drive around just to admire the view, no matter how nice it is! Where is the organisation going? What does internal audit need to ready itself to provide assurance over; new projects/systems/markets/territories, mergers, acquisitions, downsizing or transformational change.
CAEs are used to the concept of doing more for less but continuing to do that year after year is challenging and debilitating for the audit team; even prioritised risk-based audit plans leave an assurance gap. What are the discussions that take place on risk appetite and the areas where assurance will not be provided? Where does internal audit need to improve in its ability to respond to consultancy requests?
Ahead of the curve
In meetings it can be uncomfortable to be the person who didn’t read the latest memo, being out of the know; for a CAE it can be ruinous. Whether it is change in the organisation, legislation, industry sector or competitor activity it is important to read the road ahead and be ready to take the curves at pace.
With the current velocity of change set to continue is it sufficient to rely on existing networks? What is the functions social media strategy – who monitors Twitter, what blogs do people read, which contacts share knowledge on Linked In? Networking events and trade publications.
Integrated assurance
If your board/audit committee does not currently have the advantage of an assurance map, a pictorial view of where, how and when assurance is provided across all lines of defence, it is a persuasive strategic initiative for CAEs to deploy.
It is a tool which falls to internal audit or risk functions to produce and helps to avoid duplication of activities, target second line activity and reduce undue pressure on business areas. Organisations using an assurance map often develop strong networks among assurance providers which leads to a more integrated, knowledge rich, mature, governance, risk and control environment.
Should this be on your strategic plan for the year ahead?
Insight driven organisations
The digital age brought about exponential growth in data. This presents challenges and opportunities with organisations continuously evolving their capability to use big data pushing new boundaries on risk analysis, ethics, monetisation and legislation; the Cambridge Analytica, Facebook, Cambridge University saga makes this very clear.
What does big data look like in your organisation today, tomorrow? How is your internal audit planning and engagement methodologies adapting to the change? What is happening in the wider sector that you can learn from? Successful organisations are moving away from simply analysing data in a quest to understand its true value to generate insight and foresight.
Significant value can be gained by internal audit embracing data analytics, yet many CAEs struggle to deploy it effectively. Without the capability to interrogate data how can internal audit progress from its traditional hindsight based on facts and evidence to a more insightful and foresight driven assurance programme. Is this an area for audit recruitment; co-sourcing or working closely with subject matter experts in the second line?
Governance
The activities of internal audit are one of the cornerstones of good corporate governance. Yet what of the governance of internal audit itself? What strategic goals could benefit the function and the organisation?
As a CAE, is your formal reporting line to the Audit Committee? What about the reality of the day to day chain of command; is it senior enough, can it compromise independence, is there interference, could the relationship be better?
Effective governance requires good information. Do stakeholders get value from audit reports and committee papers? Do they inspire confidence in the assurance being provided? Can insightful questions be asked of management due to the trends presented or opinions raised? CAEs are the eyes and ears of an organisations independent oversight body; what actions do you need to take to ensure they are not blinkered or muffled by the quality of your presentations?
Technology skills
In the digital age, technology skills are as essential to internal auditors as the ability to interview and write reports. From GDPR (general data protection regulations) to cybersecurity, NIS (Network Information Security Directive) to cloud computing, artificial intelligence and beyond, technology proliferates without boundaries.
Whilst modelling is often associated with financial services for decision making it is commonplace in all organisations from complex spreadsheets to specialist software. It is used for marketing activities, forecasting, viability assessments, risk probability, the list could be endless, particularly with the rise of artificial intelligence improving the reliability and scope of programming.
Digital literacy is an intrinsic skill among millennials; how diverse is your team? When did you last carry out a skills analysis? What steps are being taken today to secure appropriate resources; co-sourcing, upskilling, specialists for the needs of tomorrow as well as today?
Do you know which critical business decisions rely on modelling or spreadsheets? Is there an assurance programme that internal audit oversees or delivers? Could this be a strategic activity for the team?
Working smarter
Audit functions in organisations that are lean or transforming may find that traditional methodologies involving risk and control matrices or weeks of fieldwork are struggling to maintain efficiency and effectiveness.
Management courses often talk about working smarter, lessening interruptions, modifying and adapting rather than creating, theming activity for days or weeks to focus the mind, having a positive attitude or looking at different ways to measure the value of achievements. CAEs can learn from their project colleagues in adopting agile techniques – working collaboratively, flexible workplans, bursts of work called sprints and daily briefings to share information called scrums.
Could your team be more effective? When is the last time the bonnet was lifted on ways of working? Demonstrating innovation through strategic initiatives also contributes to the positive reputation of the function.
Right first time
Agreed management actions as a result of audit engagements have a high profile. It is important that they are appropriate and proportionate to the needs of the business not pedantry or bureaucratic. They must also get to the heart of the matter; the root cause.
Internal auditors should be familiar with the five whys technique but what about root cause analysis? Could this be part of the strategic development of the team?
Audit influence
Aside from informal CAE activity, the audit plan defines the reach of internal audit; is yours limited to compliance, financial controls and operational areas? Does your plan extend to audits of the strategic process, organisational culture, risk management, corporate governance, board effectiveness or diversity?
Assurance provided from the holistic advantage point and independent nature of internal audit is unique and critical to organisational success. No other function can provide objective assessment on often veiled risk factors that can influence how decisions are made and implemented.
Organisations across all sectors are cost-conscious and benefit from high calibre internal resource. CAEs must be delivering value and creating teams capable of interviewing at board level, presenting with gravitas and with the technical competency to undertake strategic level audit engagements.
Closing thoughts
A business maintains its position in the upper quartile by continuing to innovate and the same applies to successful internal audit functions. CAEs need to be self-aware of how their function needs to evolve, putting in place measurable action plans to make it happen. Whether incremental, transformational or revolutionary the strategic activities that CAEs begin this year will ultimately help shape the profession of the future.
"When your headlights aren’t on, the best rear view mirror available isn’t likely to improve your driving"
Marth Rogers - Author, Extreme Trust