As businesses prepare to capitalize on an improving economy, internal audit is being called on to help light the way with sharper insight and smarter risk management. In addition, with Sarbanes-Oxley and a record of efficiency improvements behind them, boards and executives have issued internal audit a new challenge to deliver even more value – the status quo is simply not enough. A best-in-class internal audit function must be proactive, value-oriented, strategic and efficient.
In order to stay ahead, it is more important than ever that organizations upgrade their internal audit function to be more productive — in essence, driving it to a higher level. Chief audit executives, or CAEs, are shifting their mindsets from a compliance orientation to a more progressive value enhancement orientation in considering how to carry out this charge and help their organizations drive sustained growth.
This article outlines important factors and initiatives needed to advance the internal audit function.
Get proactive with management and the audit committee
A good relationship with management and the audit committee is not enough. In order to maximize the value of the internal audit function, it is important to forge ongoing dialogue and demonstrate an intrinsic knowledge of the broader business as well as challenge the status quo or raise concerns when appropriate. In fact, according to Grant Thornton LLP’s 2012 Chief Audit Executive Survey, 60 percent of respondents take issues to the audit committee that run counter to management’s view — up 8 percent from last year’s results.
Internal audit professionals should also work with senior management to address the most pressing business needs and in so doing help monitor and mitigate financial, operational, compliance and strategic risks. For CAEs, the continuing challenge is to remain an objective thinker while also being a respected adviser to both the audit committee and senior management.
Develop strategic vision
The strategic vision of internal audit and that of the broader organization need not be mutually exclusive. However, internal audit should address in its vision the challenges that are unique to its function, while the broader business strategy may not speak to those challenges. The strategic vision of internal audit should also align with the organization’s IT strategy. A CAE who doesn’t know when, where or how to apply technology-based techniques risks losing credibility.
Leverage governance, risk and compliance technology
Grant Thornton’s 2012 Chief Audit Executive Survey found that 50 percent of respondents do not use governance, risk and compliance (GRC) technology effectively; in fact, 79 percent do not use it at all. The greatest challenges in implementing GRC tools were the cost of effort and time to deploy, the cost of seat licenses, and maintenance and support issues. While this may be the case, it’s time for internal audit professionals to rethink their approach to technology.
Today, new tools are emerging to help execute an audit efficiently and enhance audit quality and value. Although it may be cost-prohibitive to launch a full-scale GRC platform, internal auditors can begin by strategically embracing GRC in areas that have a high volume of daily transactions and a high degree of conformity across the organization.
Stay relevant by staying current
Lack of relevance to the organization can be the kiss of death for the internal audit function. In order to demonstrate its value, internal audit must prove that it is not a rubber stamp, but rather a relevant and essential part of business operations.
When internal audit is not valued or has become a stale and stagnant part of an organization, it may be time to throw out the old plan and start again, using a blank sheet of paper approach. This approach provides a fresh perspective and gives internal audit the opportunity to realign and redefine critical responsibilities such as audit requirements gathering, results measurement, controls reporting and records maintenance.[1]
Network with peers
This may seem obvious, but it’s surprising how many internal audit professionals get trapped in their own bubbles. Networking — both inside and outside their organizations — can help them garner valuable insight and information.
Internal auditors should also make a point of connecting with peers through national and local Institute of Internal Auditors (IIA) relationships. With its peer-to-peer discussion forums, the IIA’s Audit Executive Center is a great resource for connecting with other professionals who are facing similar challenges. This outlet also provides CAE-specific products, services and thought leadership.
Get smart
There are no breaks when it comes to learning. Internal audit professionals must stay on top of their game by evaluating emerging trends, ensuring appropriate corporate governance and incorporating technology into the audit process. In addition, the IIA’s International Professional Practices Framework (IPPF) should be considered mandatory — not optional — in creating a best-in-class internal audit function that follows the highest standards and promotes best practices.
Although internal audit may provide a vantage point for organizational learning, other research suggests that it is essential for CAEs to have management experience outside internal audit in order to gain additional credibility within their organizations. A recent IIA report, Insight: Delivering Value to Stakeholders, observes that “[t]he lack of operating or general management experience [is] viewed as a hindrance to providing true operational insights … and may cause management to reject an internal audit analysis or recommendation.”[2]
The bottom line is that internal audit is receptive to assimilating broader responsibilities for evaluating emerging risks, ensuring appropriate corporate governance and incorporating technology into business processes. It is the journey from recognition to reinvention that is likely to present the biggest challenges and potentially the biggest rewards.
[1] For a more detailed discussion about this topic, see Grant Thornton’s The blank sheet of paper: An old tool is new again. The white paper is available at www.GrantThornton.com/corporategovernorseries.
[2] Miller, Patty, and Smith, Tara. Insight: Delivering Value to Stakeholders, pp. 39–40, 2011.
**********
About the Author
Warren Stippich is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has more than 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees.
Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada.
Warren is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada. He has lectured on governance, risk and compliance.
Experience
Warren began his career with Arthur Andersen in the external audit practice and later in the internal audit services practice. Later, he joined DEKALB Genetics Corporation, a $500 million multi-national public company, as the Vice President of Internal Audit and Worldwide Consulting. Subsequent to DEKALB, Warren was a Managing Director at American Express Tax and Business Services and a Partner in the related attest entity of Altschuler, Melvoin & Glasser LLP and worked in the attest and business consulting areas.Professional certifications
- Certified Public Accountant (Illinois)
- Certified Internal Auditor
Memberships
- American Institute of Certified Public Accountants; Illinois CPA Society
- Institute of Internal Auditors
- Board Member and Audit Committee Chair of Gateway Foundation, Inc., Chicago, IL
- Advisory Board Member of CIBER (Center for International Business Education & Research) at University of Illinois at Urbana-Champaign
- Board Member of the College of Business Alumni Association of the University of Illinois at Urbana-Champaign
Excellent advice Warren, particularly your point about the need for auditors to work with senior management to address the most pressing business needs and mitigate financial, operational, compliance and strategic risks. My company, Infogix, Inc., works with our customers to establish controls to eliminate errors as business information moves among disparate systems. The sheer volume of data flowing in and out of an enterprise can be overwhelming, but simply reporting on and fixing information errors does not help the C-level executives shape a company’s strategic vision. So where once we worked exclusively with IT, we’re now increasingly working with our customers’ CFO, risk managers and internal auditors to prepare reports that help operations leaders and other executives identify trends and opportunities to help improve their business processes.