Roundtable discussion: The internal audit tipping point is now
Technology is now an essential tool for all audit teams. We have reached a tipping point and internal auditors can no longer provide an adequate service if they do not utilise technology effectively. Changes that have been gradual and partial – depending on individual teams and sectors – have become the norm as Covid-19 has forced auditors to work from home and audit functions and processes remotely. It can no longer be regarded as a “nice to have”. These were the propositions put to a group of heads of internal audit at an event hosted by the Chartered IIA and Galvanize in February this year.
Participants were asked to discuss elements of this theme, in particular: What is now expected of internal audit? How can internal audit become more visible to executive management and offer increased levels of assurance to make it more valued as a partner to the business? How can it leverage data from different systems across the business to create a consolidated view of risk and break down silos?
The conversation – conducted virtually – was candid, a demonstration itself of how comfortable people have become interacting via video. To ensure that people felt comfortable speaking freely about their experiences, we have preserved individuals’ anonymity, however the quotes below are taken directly from the discussion.
Changing perceptions
One important element was the need to drive change in the wider organisation and to build on the relationship with management forged during the crisis.
"Now more than ever we want to be seen as relevant. During the Covid pandemic people came directly to us for support, which was great. How can we be more commercially aware and focus more on protecting and creating value – pushing the business forward so it can make better commercial decisions with risk in mind? How can we become better business partners?"
However, “helping out” in a crisis can also lead to pressure to conform and be “supportive”, rather than critical. The pandemic highlighted weaknesses in controls and processes that now need to be addressed and improved, rather than ignored because management and internal audit have survived a tough experience together.
"Internal audit can sometimes feel that it’s incumbent on them to sing to the tune of the organisation, rather than constantly challenging it. I recently read that people who are not deal-challengers are deal-makers – and that’s not what we need in this role. Objectivity is more important than ever.
"We need to be brutal on audits, but it’s also important to be brutal on business units. If the organisation pats itself on the back and says ‘we’ve weathered the crisis’, we need to ask ‘but at what cost?’.
"We had warnings about the pandemic from the Far East in January and February last year. If our organisation failed to escalate these until the national measures were imposed in late March, we all relied on false assurance that we were ok for far too long. Similarly, the WEF predicted problems with global supply chains early on, but most organisations were not listening, and this shows that our risk controls and processes were not working efficiently."
"It’s important to demonstrate to the business that we may not be specialists in specific areas of the business, but that we have specialist knowledge in risk and control. We need more general education on what internal audit does. "
"I have stepped-up stakeholder touchpoints with the audit committee, executives and second-line functions in order to keep stakeholders informed of internal audit’s work, give them the opportunity to raise new requests, and (for second-line functions) align plans to present a joined-up assurance approach to the business. Reinforcing internal audit’s network of contacts has been crucial to keeping on the radar and getting prompt input from the business for quick decision-making in the remote environment."
Some felt that internal audit does not always engage the right stakeholders in the business and suggested drawing up stakeholder management plans identifying the critical people and how and when they would be contacted. Communication, education and new relationships with managers should be mapped, planned and pursued formally – and progress recorded.
"A clear visual map showing whom we need to know and speak to can really help to focus efforts. We have an assurance stakeholder plan and a separate governance stakeholder plan – one looking at whom we need to know to do our audits in the year ahead, and the other highlighting people at a higher level whom we need to know to raise our profile."
This will enable internal auditors to have the conversations that make long-term changes happen.
"We are not perfect and don’t have all the answers, but we can spark conversations and raise issues about risks in ways that senior management may not have thought of and may lead to a new perception of risk. A good example is around long-term risks such as climate change."
"We still need to leverage our relationships with the chair of the audit committee and the CEO. We’re doing a lot more with root-cause analysis – for example, we’ve found that some of the worst – and the best – practices found in regional offices turn out to be common across the business, so if we can identify these we need to call them out at group level, not just as a regional office issue.
"We’ve tried issuing memos about risks and problems we’ve found relevant to the whole business and this has really helped. We’ve made it clear that this is not about blaming one office, but about highlighting common issues that matter to help everyone improve."
Resources
"The future of audit hinges on a data-driven strategy."
New types of business may require internal audit to gain skills and commercial knowledge – even if they are not in that business themselves. How are high-tech businesses changing the broader risk and commercial landscape for everyone?
"We need to think about how we audit large digital organisations such as Amazon. Do we have the analytical skills and knowledge and do we understand their strategy? And how will other sectors such as energy providers be affected by the large artificial intelligence and social media organisations in future?"
A new focus
Internal audit has to be aware that “bells and whistles” audits may not be appropriate or possible now, or for some time to come. This is where technology, coupled with commercial acuity, can help internal audit to drill down, identify what is critical for the business and where assurance already exists.
"What are the critical controls? For example, one purchase order may be referenced at multiple stages. We should be able to step back and ask: ‘What are the key controls here? What should we focus on? What is most critical? What is the potential impact on the business?'"
"We need to get out of the ‘weeds’, work out what is most important and focus on the higher level things."
"Many ‘low-level’ audits have had to go by the wayside while we cope with much higher level issues around the business plan and strategy."
"Within internal audit, we have an approved 2021 plan with one-page audit overviews for each audit in the plan. We are using this as a starting point for pre-planning discussions with stakeholders, which include identifying what data they use to manage their area and the source of this data. This then forms the basis of designing our data analytics tests."
The experiences of the participants at the roundtable varied, however it was clear that all were seeing demands from stakeholders for prompt, focused, concise and relevant assurance. Many were using audits of their organisations’ response to the pandemic to question whether there were gaps in risk management and/or internal control assurance provision before the virus spread worldwide.
The Covid pandemic has exacerbated many existing trends and caused internal audit teams around the world to ask whether their organisations were in the best place possible to deal with its impact. Accurate, timely information and the ability to turn this into meaningful reports and actions has never been more important. Automation is no longer a “nice to have”. It is essential for a mature internal audit function. Covid did not create this need, but it has made it universal. That, surely, is a tipping point.
Galvanize is the leading provider of GRC software for audit, risk management and compliance professionals. The integrated HighBond platform helps audit teams efficiently manage their entire audit workflow. To learn how Galvanize solutions increase assurance and reduce costs and manual work through automation, visit www.wegalvanize.com
This article was first published in March 2021.