Part 1 in a Series Exploring the “Auditor of the Future”
In this first installment, Protiviti’s Jim DeLoach and Brian Christensen discuss the nature of the relationship between the “auditor of the future” and the board of directors with respect specifically to risk – which remains central to the internal audit function.
with co-author Brian Christensen
Just over three years ago, Protiviti released an issue of The Bulletin which introduced what we called the “future auditor” vision. This vision was then (and still remains) based on a definition framed by The Institute of Internal Auditors (IIA) which asserts that internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” The IIA’s definition points to an endgame to which every progressive chief audit executive (CAE) should aspire. It states that internal auditing “helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” The focus is unmistakably comprehensive.
We used the term “future auditor” to describe a CAE who takes definitive steps toward making The IIA vision a reality within the organization he/she serves. Last year, another issue of The Bulletin revisited the future auditor vision to corroborate its relevance against the increasing expectations of internal audit stakeholders, as reported by the Global Internal Audit Common Body of Knowledge (CBOK) survey.
Below, we explain the future audit vision and then begin a three-part series that discusses the future auditor’s advancement of the audit committee relationship.
The Future Auditor Vision
When we articulated the future auditor vision in 2014, we suggested he/she:
- Is positioned to be objective with regard to the enterprise’s operating units, business processes and shared functions and is vested with a direct reporting line to the board of directors or a committee of the board;
- Understands the organization’s business objectives and strategy and identifies risks that create barriers to the organization’s achieving its objectives and executing its strategy successfully;
- Is authorized to evaluate and challenge the design and operating effectiveness of the organization’s governance, risk management and internal control processes that address its critical risks and creates value by making recommendations to strengthen those processes and keeping the appropriate executives and directors informed regarding open matters;
- Uses a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;
- Articulates the value contributed by a risk-based audit plan to the organization, providing an assurance perspective that the board and executive management can understand;
- Maximizes the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and
- Possesses escalation authority and proactively exercises that authority to bring important matters to the attention of executive management and the board on a timely basis.
With these responsibilities and independent positioning in place, the future auditor’s relevance is assured. He/she is recognized throughout the organization as a positive change agent and provides a valued source of objective insights to executive management and the board regarding the critical enterprise risks, risk management capabilities and opportunities for improving the effectiveness and efficiency of activities that matter most to the organization’s success.
To some stakeholders and practitioners, the above responsibilities may be nothing new and merely depict what CAEs are doing now or should be doing. We agree that some CAEs, particularly in financial services, actively embrace the future auditor vision. Our view is that every CAE has the opportunity to self-assess his/her value against the future auditor vision and determine whether gaps exists and, if so, whether such gaps are due to positioning, scope or skill sets.
No doubt, operating the internal audit function in accordance with the profession’s standards is vitally important. That said, in this three-part series, we elaborate on the future auditor’s advancement of the relationship with the audit committee of the board of directors (or its equivalent) on three distinctive but interrelated fronts: risk, value and communications. Our thinking is derived from our various client experiences, as well as from roundtables we have facilitated with seasoned CAEs. Of necessity, the interrelated nature of the three fronts gives rise to ideas that overlap to some extent. This first installment of the three-part series focuses on risk.
The Focus on Risk
The future auditor views risk comprehensively through the lens provided by the organization’s business objectives, strategy and operating model as a context for developing and executing a top-down, risk-based audit plan. The future auditor reaches beyond the traditional internal audit scope on operational, compliance and financial reporting matters in a variety of ways:
Thinks strategically. By identifying risks that create barriers to the organization’s achievement of its objectives, the future auditor takes the high road of applying a strong business context and strategic thinking when engaging key stakeholders. This approach directs attention to the risks that truly matter to executive management and directors. With the organization’s strategy and business model as a context when proposing top-down, risk-based audit plans and evaluating risks and risk management capabilities, the future auditor can engage in high-end, high-touch activities such as facilitating management’s risk appetite dialogue, assessing the continued validity of strategic assumptions and evaluating the organization’s strategic alignment and progress toward executing the strategy.
Fosters early alert reporting. Alerting management about emerging risk issues is a high priority for the future auditor, whether through existing processes and systems supporting activities targeted in the audit plan or through mechanisms instituted by the audit team. Offering insights on changing environment, regulatory and risk scenarios is critical in these volatile times.
Considers the “unknown unknowns.” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Risk assessments influenced by groupthink, overconfidence and dwelling on past trends and experiences rather than by a forward-looking process which emphasizes current and anticipated dynamics lead to rehashing proverbial “known knowns” on a risk map year after year. Shuffling known risks around on a map adds little insight for decision-making unless there are inherent challenges with managing them. Accordingly, the future auditor’s audit plan emphasizes the identification of key issues of which management and directors may not be aware.
In doing so, the future auditor undertakes a comprehensive risk focus. Therefore, consideration of issues affecting execution of the strategy is of paramount importance (e.g., changes to the company’s risk profile; assessment of how new technological trends are impacting the business model; evaluation of the enterprise’s ability to respond to the unexpected; and identification of significant non-financial reporting, operational and compliance issues).
Serves as the watch guard of risk culture. From time to time, the future auditor may use self-assessment techniques, internal surveys, focus groups and other techniques in addition to audit procedures (risk culture audits) to understand the current state of the entity’s risk culture, ascertain whether any significant gaps exist versus the desired culture and identify specific steps to rectify those gaps. Gaps may arise from such matters as unusual risk-taking; inappropriate compensation incentives; delays in remediating control deficiencies; effects of attrition and budget cuts on the control structure; evidence of eroding core values; and continued significant policy violations.
Strengthens lines of defense. The future auditor focuses on the performance of the primary risk owners and independent risk management and compliance functions in fulfilling their respective responsibilities as the first and second lines of defense. If necessary, the auditor provides an effective challenge to these parties through observations and recommendations for improving their effectiveness in discharging their responsibilities. He/she also considers the effectiveness of escalation protocols in elevating significant issues to senior management and the board for timely resolution.
Maintains vigilance against fraud. The future auditor conducts periodic risk assessments and evaluations of the organization’s anti-fraud and corruption program using data mining and analytics techniques applied to transactional data. These reviews enable the auditor to obtain insights into the operating effectiveness of internal controls and identify indicators or patterns signifying possible fraudulent activity requiring further investigation.
The focus on risk lies at the core of much of what internal audit is expected to do. Applying a risk lens to the formulation and execution of the audit plan and reporting on its results enable the future auditor to evaluate enterprise risk, engage in constructive interactions with key stakeholders and contribute to the risk topics of interest to the C-suite and board.
We have explained the vision of the “future auditor,” our view of the CAE who takes definitive steps to apply the full scope of The IIA’s definition of internal auditing. CAEs who embrace the future auditor vision are better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented and highly adaptive behavior. Now is the time to raise the bar for the profession. It is up to progressive CAEs to take the lead and show the way to reach the profession’s full potential as a discipline.
In introducing the future auditor, we have suggested that he/she advances the relationship with the audit committee on three interrelated fronts – risk, value and communications. Above, we discussed the focus on risk. Next week, we will discuss the focus on value.
 See the institute’s definition of internal auditing at the following site: www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/?search%C2%BCdefinition.
 “The Future Auditor Revisited,” Issue 3 of Volume VI of Protiviti’s The Bulletin, July 2016, available at www.protiviti.com/US-en/insights/bulletin-vol-6-issue-3.
 See https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx for The Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing, effective January 1, 2017.