In a challenging and ever-changing business climate, stakeholders are seeking – if not demanding – guidance from the internal audit profession to address strategic and emerging business risks.
But what tactics can internal audit use to make sure it meets those demands and help the profession thrive? That was a main focus of the new Pulse of the Profession report, Enhancing Value Through Collaboration: A Call to Action, from the Audit Executive Center of the Institute of Internal Auditors (IIA).
The report, released during the IIA’s 73rd International Conference in London on Monday, examined changing expectations from key internal audit stakeholders based on the findings of four major industry surveys from the first half of 2014. It also zeroed in on five key strategies to meet those expectations, primarily through communication and collaboration with stakeholders.
“Traditionally, internal audit has been reactionary, but that approach is changing,” IIA President and CEO Richard Chambers said in the report. “Our value to an organization depends on furthering this change in course."
The Pulse report found agreement within industry surveys for expanding internal auditing’s role, but it also identified gaps – sometimes significant – in expectations of and confidence in the profession’s ability to deliver assurances and services in new areas. According to the report, the key to enhancing internal audit services is for chief audit executives (CAEs) and other heads of audit to recognize and address those gaps.
“Every company, situation, and leader is different,” Gina Eubanks, IIA vice president of professional services, said in the report. “Are you ready to sit down with your stakeholders to understand how they define and measure success of internal audit?”
In its new report, the IIA highlighted the following five strategies for internal audit success.
1. Improve upon alignment with expectations of key stakeholders: Setting the tone for alignment by working with stakeholders is imperative. According to KPMG International’s2014 Global Audit Committee Survey, the first step is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risks and related controls – not just compliance and financial reporting risks.”
CAEs should consider presenting strategic plans, spanning three to five years, that lay out changing levels of assurance services and advisory services in accordance to what internal control structures will permit.
2. Assume a leadership role in coordinating the second and third lines of defense: The IIA strongly advocates educating stakeholders on the three lines of defense model – management controls, risk management, and internal auditing – for dealing with risk. The IIA’s study found confusion specifically over just where those lines are drawn, which could create an opportunity for expectation gaps to grow. In the IIA’s Pulse survey, 64 percent of respondents said those lines are not clearly, somewhat, or moderately defined.
“The CAE should assume a leadership role in getting everyone back in their lanes, ensuring that there is no duplication or gaps in coverage,” Chambers said.
3. Enhance internal auditing’s capability to address critical, strategic business risks: As concerns among key stakeholders – chiefly management, audit committees, and boards – shift from traditional controls and finance issues to strategic business risks, internal audit must adapt to meet changing priorities.
For example, in KPMG’s 2014 Global Audit Committee Survey, respondents wanted the audit function to “devote more time and/or sharpen its focus” on areas outside of corporate governance that are typically associated with the internal audit function. Such areas included selected management process (65 percent), IT and data management (58 percent), and operational risks (52 percent).
4. Develop and implement knowledge and talent-acquisition strategies: To expand its responsibilities, the internal audit function must possess the requisite talent in nontraditional areas, such as the risk management process, IT, and operational risks.
The Pulse of the Profession survey found that skills being recruited or built into audit functions were more likely to be general than industry specific. Specifically, CAEs responding to the survey reported they are more likely to recruit based on analytical/critical thinking (75 percent), communications skills (58 percent), risk management assurance (44 percent), and IT (41 percent) versus industry-specific knowledge (36 percent).
Success hinges on not only identifying the skills to meet these changing demands but also in the recruiting strategies to find workers with relevant skills.
“Acquiring the right people is not the end, it’s the means,” Chambers said. “Acquiring the right people is the means toward having the knowledge and capability in the organization to address a full spectrum of risk.”
5. Become a trusted advisor to the audit committee and executive management: Experienced CAEs who succeed in understanding stakeholder expectations, addressing strategic business risk, and nurturing necessary talent can comfortably form advisory relationships with stakeholders. Those relationships will also make it easier to educate these stakeholders about emerging risks and mitigation strategies.
“The world as we know it is changing and so must the role played by internal auditing,” Anton van Wyk, senior vice chairman of the IIA Global Board of Directors, said in the report. “In recognition of the multitude of dependencies and impacts that exist, the concepts of integrated thinking and reporting, formalized stakeholder engagement, and the annual integrated report are ways of ensuring internal auditing views business more holistically.”