From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness. This has become particularly important in the face of increasing compliance burdens, cost pressures, and digital disruptions. So, how can internal auditors rise to the challenge and deliver the value that their business needs? Here are a few ways.
One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives. Not only does that help them deliver more relevant insights, but it also helps the business be clear about what they want to achieve. Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
A strong understanding of the business is important here. Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well: How does the business work at multiple levels? What are its key drivers, challenges, strengths, and weaknesses? What is it trying to achieve?
As auditors explore these questions, they can gain a clearer perspective of how and where to add value. They can also sharpen their focus, so that when they go into the business, they’re able to more quickly pick up on issues or processes that aren’t aligned to strategic objectives.
It helps to have some sort of integrated data model to understand how audit objectives, plans, and programs tie back to business objectives. Many organizations use audit management software to map together objectives, as well as the risks that impact those objectives, the controls to mitigate those risks, and associated business units, functions, and processes. This tightly integrated data framework makes it easier to get a sense of the audit universe and how everything is linked together.
Regular meetings with the audit team enable internal auditors to measure their progress, and ensure that they are still aligned to the right objectives. It allows them to identify what’s working in their audit plans, what isn’t, and what needs to be changed. Every potential audit can be quantified in terms of its relevance to business strategy. Those that have a larger impact on the achievement of business objectives can be given a higher weightage.
Sometimes strategic objectives may change. As a result, an audit issue that may have seemed significant some time ago may not require the same kind of attention or investment anymore. The only way to know that is to keep the conversation with the business going, and—within the audit team—to meet, take stock, and check that everyone is still focused on the right goals. Otherwise, it’s easy to lose sight of what the team is trying to achieve.
Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth. One of the keys to effective reporting is to break down complex or highly technical concepts into relatable terms, while also turning facts and data into a compelling narrative that the business can proactively act upon.
Here again, it’s important to keep coming back to strategic objectives. When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses efficiently, rather than trying to address all audit issues at once.
Many internal auditors leverage predictive analytics to anticipate emerging risks, so that the business can get ahead of them before they snowball into larger issues. Today, there’s so much information available for internal auditors to provide better insights to the business. Are they leveraging it all? Are they being creative in how they gather, analyze, interpret, and more importantly, communicate the data? These are important questions to ask.
Technology can be an effective enabler when it comes to audit reporting. Especially in large, globally distributed enterprises where audit teams are scattered across locations, a scalable audit management solution can improve efficiency by streamlining and automating audit reporting workflows. Users can accelerate the process of pulling together data, and consolidating it into standardized reporting templates. They can also track the status of audit tasks and activities across the enterprise in real time.
In many organizations, the shift to agile internal auditing has been driven by the need to reduce audit costs, strengthen collaboration with the business, and deliver faster, better insights. It’s a significant move away from traditional annual audit plans and risk assessments which were largely static in nature. Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations. Not only can it help strengthen audit reporting and stakeholder satisfaction, but it can also improve the audit team’s morale, job satisfaction, and commitment.
The agile approach typically involves multiple short, collaborative, and targeted projects based on an iterative model that allows for frequent feedback. These projects are largely flexible in nature to keep pace with changing requirements. While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs. If the capabilities of the audit team aren’t sufficient, subject matter experts (SMEs) are often called in to fill the gaps.
At the MetricStream GRC Summit, one of the speakers talked about how his company used the agile methodology to solve a persistent SOX compliance challenge i.e., aligning changes in the HR database to the IT access rights database. Earlier, the process was largely manual and cumbersome. Realizing they had an opportunity to improve efficiency, the assurance function helped put together a Scrum team of collaborators including a senior IT auditor, coding experts, and an SME from the IT department with knowledge of SOX compliance. Within three months, the team had developed a solution to automate the process of matching the two databases. Not only did it improve compliance efficiency, but it also boosted the assurance function’s reputation as a problem-solver and trusted advisor.
Internal auditors today have the opportunity to create real business impact. The work that they do can help shape effective risk and compliance management programs, while also enabling leadership teams to be well-prepared for future challenges. As they focus on better alignment with business strategy, better quality reporting, and better agility, internal auditors can strengthen their reputation as value creators, and help their organizations move forward with confidence.
Business crisis is not unknown. What is unknown is the time and type of occurrence, and its impact. There have been numerous situations where the readiness of the organization to brace a crisis has been of serious concern – whether it is a financial crisis, personnel crisis, organizational culture crisis, technological crisis or natural/ environmental crisis. The effects of each of these could be handled by being responsive to the situation, managing it proactively and creating a recovery plan. Its evident that being a proactive assurer is the best way to mitigate or minimize the effects, but it’s not always the most feasible one!
Whether it was the Great Depression of 1929, the 2008 Financial Crisis and Recession, the Dotcom Crash, or the Global Pandemic standstill of 2020 – they have all created terrible nightmares for the business world. Have organizations learned from these pitfalls? What are the underlying business functions and resources an organization should focus on to control the unknowns? How can organizations make sure the impact is lessened - by anticipating potential problems and making the right choices to resolve a stressful status quo? The Internal Audit function with its overall strategic perspective of the business is the line of defense which can hold together and anchor the business through a crisis.
Today, we are in a global economy where demand, supply, logistics, resources, and skills are all interwoven. When crisis strikes, it changes a lot of things in and around a business - the processes, goals and objectives, associated risks, policies and procedures, sales strategies, customer demands, and many more. However, change is not just physical or what can be seen, but also emotional and habit centric. The business may not run as normal and that might just heighten the number of uncertainties and risk dimensions.
Since the impact is sudden, the changes are a chain reaction and gauging these ups and downs need an eagle eye on the processes and preparedness. Internal auditors play a vital role in keeping a business resilient - having a clear understanding of areas of impact, anticipating the severity , displaying agility, and transforming to adapt variance – these are a few aspects where an internal auditor can directly contribute during desperate times. But this cannot be a one-sided effort. There are not many organizations which involve internal audit teams in crucial decision making at the beginning. It is however imperative to understand that the value internal auditors create in ensuring the smooth functioning of the business at any time will only grow with their deeper involvement and insight.
The role of an internal auditor does not start at a point when all the other lines of defense have completed the observations, defined the risks, funneled the regulations or mapped the policies. In fact, internal auditors are an intrinsic part of the entire spectrum of activities as they possess a unique overview of various facets of the organization, and that’s what makes their contribution towards keeping a business afloat even during a crisis, crucial. They carry the ability to dive into the moving parts of a business process mechanism and check for silos, ensure all the crisis management plans are created in accordance with the risks, emergency response and communication plans are aligned with the best practices and most importantly with the overall business goals and objectives. They also make sure that the plans are tested, approved and practiced by responsible teams on a timely basis, so that the crisis management plans are not just limited to being documented, but also effective.
To create a risk free and sustainable environment, here are some key questions which if addressed can create a resilient business:
Internal auditors create a resilient business by taking into consideration the above aspects and map them to the appropriate business lines, based on the attributed risk scores for the type of crisis. It is important for internal auditors to set expectations with the stakeholders, but also understand what they are looking for, before deriving a plan.
It’s imperative to have a clear and thorough plan to avert impact of any potential crisis – which may otherwise have disastrous results – such as losing customers, closing operations, non-recoverable losses, market shrinkage – to name a few. A culture of resilience can be created with proper dissemination of information, constant oversight of the processes, imparting training and awareness, and timely board reporting. Perhaps the one function which can perform all these activities with ease and act as a fulcrum for the overall crisis resiliency is the internal audit team.
Performing these activities is not limited to the flexibility and reach of an Internal Auditor but also to the willingness of the management to invest in such readiness plans. It is a battle between investing capital for such unforeseen events in a proactive manner or waiting for such events to occur and believing that all things can be taken care of on the fly. However, it’s likely that one such event can occur during the lifecycle of a business, and that’s when the true value of having invested in such a plan and advocating the role of internal auditors, will yield positive results.
To a great extent, organizational changes are based on the type of crisis faced. But when the extent of the impact is global, the repercussions can be far reaching and last for a longer duration. So, it becomes important to analyze, prepare, invest, and ensure that the third line of defense is powered to help build a resilient business.
Like almost every other business function, internal audit (IA) has been comprehensively disrupted by the global pandemic. In just a few months, audit teams have had to adapt quickly to fewer resources, rapidly evolving business priorities, and a distributed workforce.
The good news is that IA groups, by virtue of their organizational knowledge and visibility into risks, are well-positioned to advise the management and board on how to navigate the uncertainties ahead. But to do so effectively, they might need to rethink traditional approaches to auditing.
Risks are changing so quickly today that long-drawn-out audits with rigid, pre-set plans no longer work. Auditors need to be able to quickly pivot and respond to new risks such as employee health and safety risks, information security risks, supply chain risks, and even the possibility of an economic downturn. Auditors also need to be able to deliver frequent insights to the management and board—all while coping with limited resources.
That’s where agile auditing can help.
At a recent MetricStream webinar, our internal audit expert pointed out that agile internal auditing is ultimately a mindset. It’s about being flexible and responsive to changes in both internal and external environments.
Agile IA focuses on faster audit cycles, timelier reporting, less waste, and greater business value. In fact, it pushes auditors and stakeholders to determine upfront the value that will be delivered by a particular audit project. It also helps prioritize audits based on their importance and urgency—which is critical in today’s fast-evolving environment.
Since agile auditing requires IA teams to do more in a shorter time frame, a lot of discipline and rigor is involved—right from audit planning and resource allocation, to field work and reporting.
Compared to traditional audits, agile auditing is quicker and more iterative. Documentation requirements are fewer. And instead of a predefined plan set in stone, agile audit plans are usually flexible. They’re broken down into multiple shorter cycles that make them more agile and responsive to change.
Build shorter, iterative plans
Communicate more frequently
Provide timely insights
Here are a few best practices to inject more agility into internal auditing:
1. Build shorter, iterative plans:
Break audit projects into smaller segments or sprints that can be completed in a shortened time frame – typically two weeks. Leverage a risk-based approach to the audit planning process, but also include the outcomes of prior audit assessments and changes to the organization’s risk profile. When drawing up a plan, define key success metrics, project objectives and scope, resources required, and timelines. Have a project information dashboard with complete visibility into the project scope, status, and results. At the end of each sprint, review and adjust audit priorities, tasks, and goals as needed. Also, identify any major issues that need to be addressed.
2. Continuously prioritize focus areas:
Build an audit backlog of all items in scope. Evaluate it at regular intervals to check for relevance. Add or remove items from the scope whenever new risks emerge, or when older scoped items are no longer important. The objective is to keep the backlog updated and current instead of basing it on issues that were pre-determined many months ago. This, in turn, requires a keen understanding of what’s happening in the business and external environment.
3. Communicate more frequently:
Hold short, precise meetings or Scrums with key business stakeholders to discuss the tasks completed, tasks lined up, existing hurdles, and potential issues. Wherever possible, collaborate with other assurance providers to minimize the duplication of work while also ensuring proper risk coverage and testing.
4. Provide timely insights:
Communicate how shifting business priorities can change the organization’s risk profile through each phase of the pandemic. Report on the likelihood, velocity, variety, and impact of emerging risks. Ensure that audit reports are brief and succinct with a summary of observations, findings, trends, and opinions.
In a post-pandemic world, technology is no longer simply a nice-to-have, but an imperative. Especially in a distributed workforce, internal auditors need technology to collaborate better with stakeholders, access information quickly—and enable agile auditing.
MetricStream Internal Audit Management facilitates a dynamic, risk-based approach to agile audit planning where new risks can be continually added to the plan as priorities shift. The product accelerates internal auditing with streamlined, automated processes. It also helps optimize resource allocation, so that auditors can do more with limited resources. Real-time reporting and analytics tools process massive volumes of data quickly, so that auditors can speed up reporting, and enable business leaders to make decisions faster.
But this is just the beginning. With artificial intelligence, robotic process automation, and advanced analytics, IA practitioners will be able to continuously monitor and easily detect risks even while working remotely. They will be able to collaborate more seamlessly across the lines of defense, and automatically integrate data on risks and issues from multiple diverse sources. They will also be able to anticipate risks, and predict disruptions more effectively. All these capabilities, in turn, will enable them to demonstrate better agility as they help their organizations tide over the pandemic.
Diverse use of Data Analytics (DA) and Robotic Process Automation (RPA) is not unknown in this data driven world. Even though the number of businesses leveraging analytical tools to unleash the power of big data is over 50% of the industry, there are still a significant number of business areas or functions which steer away from this advancement. Among them, the internal audit function is one such area with relatively untapped potential of analytics, as it is still trying to explore the extent of its applicability and usefulness.
Being the third and final line of defense, it is key to prevent any business anomaly or risk appear or surpass a Chief Audit Executive’s (CAE) vision spectrum. Adapting to a world where decision making relies on data-driven technology does not appear to be an easy proposition for CAEs.
Expectations from a CAE have risen to a different level; swifter detection of risks, red flags for process anomalies, caution for fraud, and continuous control monitoring are table stakes in the line of duty. As the gatekeeper of the final defense, internal audit evaluates risk management, compliance function, and all the other governance processes. And this is precisely where data has a significant role to play. Performing all these activities without any data intelligence aggravates the challenges. Auditors are used to sampling methods, extrapolating the results and treating them as issues, whereas the problem might lie within the hidden data. If you dig deeper you might be able to get to the root cause of the problem. The recording and visualization of metrics and review of every bit of data is pivotal to achieving success.
Now, why do we deem RPA and DA to be a necessity for CAEs? Because this is not about future, but these are very much being leveraged and relevant in the present. The tsunami of technology has taken over and it’s the world of big data where a lot of exciting things are happening! Everything we know of will become redundant and technology will take over, rather has already started taking the course. CAEs need to think and reflect on what can be done to stay relevant.
What can CAEs do to innovate, improve, and add value to the organization? As an auditor needs to connect to the audit committee, the board, peers, risk committee, the regulators, and stakeholders constantly, it directs that communication is key. Now-a-days no one is interested in knowing the sample size, every data is important, and they need assurance that no data within a process has been overlooked. DA and RPA come into picture to help derive value from the volume of data in such scenarios.
It is equally crucial to understand your expectations from such technological assets so that technology does not ruin the objective. To cite a few examples in which business functions are leveraging analytics; many financial organizations utilize algorithmic trading to sell or buy commodities as the system shows clients which are more likely to trade at given data points based on historical behavior; or human resource functions leverage in-built algorithms to select candidates, in fact a lawsuit against an application tracking system (ATS) was filed for an unknown glitch in the algorithm where it would not pick any profile of women with strong professional backgrounds for a higher position. Hence there are cases where the in-built algorithms might not be what was needed, and that is one of the challenges for auditors to focus on.
So, what steps can we take to make the giant leap in safeguarding the organization?
Firstly, it is core to understand the business objectives of your organization, which would grant you the flexibility to align your activities to the end goal. Take a stock of requirements and develop a well-defined strategy for innovation.
Equally significant is to understand the capabilities and skill matrix of the present group of auditors within the organization at a global level, to understand how relevant they are in the current scenario and based on this assessment introduce relevant training programs to enhance their skills and make them relevant. Ensure they have the business knowledge, basis which they can classify the technology or software being leveraged along with the pattern of data flow to arrive at the results.
CAEs need to build an infrastructure which not only supports the deployment of the automation technology but also facilitates ongoing maintenance and mitigation of any risks arising out of this.
Finally, a prototype of the operating model needs to be developed so that any variations in people, process, or technology can be linked or changed, to adjust with the current state. The new model should be a natural extension to the existing work model. But it is equally important to consider when and where the intervention is required.
As we take stock of the progress made in past few years, we realize that organizations are seriously analyzing and accepting the immense advantages from these artificial intelligence and machine learning tools and moving ahead of the curve with RPA and DA tools. These disruptive technologies continue gaining acceptance from early adopters, as they prove their capability, reaping benefits across the complete internal audit lifecycle. Organizations are stepping up to implement a systematic approach that considers the operating model, infrastructure and applicability across the IA lifecycle, and gradually launch pilot projects.
The most important aspects of adopting an automated analytical technology is:
It’s time that auditors balance their responsibilities, stay more vigilant and engage proactively - as organizations adapt to disruptive technology, and the second line of defense remodels its approach to control neutralizations and tests. This will help CAEs gain more confidence as an assurer and focus on risks associated with these technologies to keep the board abreast of the emerging risks and provide assurance that these risks are being addressed adequately.