Part 2 in a Series Exploring the “Auditor of the Future”
Part 2 of this series from Protiviti’s Jim DeLoach and Brian Christensen discusses several ways auditors can add value to the organization beyond the scope of the audit plan.
with co-author Brian Christensen
Last week, we explained our vision of the future auditor, or the CAE who takes definitive steps to apply the full scope of The IIA’s definition of internal auditing. CAEs who embrace the future auditor vision are better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented and highly adaptive behavior. We also began a three-part series to elaborate on the future auditor’s advancement of the relationship with the audit committee of the board of directors (or its equivalent) on three distinctive but interrelated fronts – risk, value and communications.
In addition, we focused on risk, advancing six ideas on how the CAE could enhance the audit committee relationship. Below we focus on value. Our thinking is derived from our various client experiences as well as from roundtables we have facilitated with seasoned CAEs. Of necessity, the interrelated nature of the three fronts gives rise to ideas that overlap to some extent.
The Focus on Value
One could argue that internal audit adds value simply by discharging its responsibilities in a cost-effective manner. We have no quarrel with this view. However, the challenge to think strategically leads the future auditor to another opportunity – to think beyond the scope of the audit plan and deliver tangible value. The future auditor considers the implications of audit findings across the organization with a business context that ensures the work of planning, executing and reporting on the audit plan is relevant to executive management and the board. There are a variety of ways in which the future auditor focuses on value:
Looks to the broader picture. In executing a top-down, risk-based audit plan, the future auditor looks beyond the scope inherent in the plan by “connecting the dots” of individual audit findings to identify patterns, insights and emerging issues and trends that lead to stronger, more practical and harder-hitting observations and recommendations. Focusing on the bigger picture positions internal audit to maximize value, even in areas outside the scope of the audit plan.
Collaborates with other functions. The future auditor recognizes the inefficiencies of multiple requests to process owners from multiple independent risk, compliance and assurance functions. Therefore, coordinating roles, responsibilities and audit and oversight plans, as well as sharing risk information and available resources, represent best practice.
Leverages advanced auditing capabilities. In a digital world, the future auditor recognizes the opportunity to embrace analytics if he/she has yet to embark on that journey. The “analog” approach to auditing has little use in an increasingly digital world. Our recent research notes that data analytics is gaining a foothold in internal auditing, with two out of three departments utilizing analytics as part of the audit process. However, most internal audit shops are still in their “analytics infancy,” as a strong majority assert that their analytics capabilities are at the lower end of the maturity spectrum. Not surprisingly, the more mature analytics capabilities are, the greater value they’re perceived to deliver. In addition, the future auditor views technology-enabled auditing capabilities as a top priority. Such capabilities include data mining and analysis, self-assessment tools, continuous auditing/monitoring, customized dashboards, exception reporting and computer-assisted audit tools (CAATs).
Evaluates the control structure. The future auditor considers the implications of change on the control structure. Our research notes that cybersecurity, cloud, mobile technology and big data are top-of-mind for many CAEs. These and other technology-related risks dominate the priority lists as business and digital transformation draw more attention across multiple sectors. In heavily regulated industries, there are opportunities to simplify, focus and automate controls to maximize cost effectiveness while also providing reasonable assurance that control objectives are achieved. Thus, the future auditor contributes value through:
- Benchmarking best practices and providing observations on industry risks and trends as well as input on designing and improving internal controls.
- Looking beyond the symptoms identified in individual audits to offer a position on what the identified issues might mean from a governance, risk oversight or culture standpoint.
- Articulating impact of control issues in alternative ways (an assessment of potential velocity-to-impact, social media impressions and reputational impact, for example), if unable to quantify impact.
- Offering commentary on recent relevant events (e.g., ransomware attacks – has the organization been impacted, what is our exposure, what are we doing to prevent attacks?).
- Automating ongoing controls monitoring to foster timelier, comprehensive continuous auditing.
Streamlines the compliance infrastructure. Due to proliferating operating silos, control ownership gaps and overlaps, fragmented and diffused reporting of risk and control data, conflicting stakeholder expectations and a lack of entity-level transparency in how the compliance infrastructure is actually functioning, there are myriad opportunities for the future auditor to recommend ideas to make compliance more agile and efficient.
Improves information for decision-making. The best decisions emanate from reliable information. Accordingly, the future auditor takes every opportunity to understand the nature of the performance metrics, measures and monitoring systems used to manage specific areas under audit, including at the entity level, and assess the quality of that information and recommend improvements to enhance quality. In addition, to generate value-added insights, the future auditor may deploy analytics tools to create lead performance indicators and trending metrics to signal when risk events might be approaching or occurring.
Addresses the four C’s. The future auditor is well aware of the hot issues with which directors are concerned and aligns the top-down, risk-based audit plan accordingly. To that end, there are four areas that provide an excellent starting point for internal audit:
- Culture – As noted earlier, watch for signs of a deteriorating risk culture.
- Competitiveness – Armed with a strong business context, address the underpinnings of what makes the organization competitive in the marketplace, particularly with respect to cost effectiveness and efficiency issues.
- Compliance – Broaden the focus of the audit plan on important compliance matters and the quality of the related
- Cyber – Focus on the risks of major importance; cyber risk is at center stage for many companies at this time.
Focuses on the committee’s responsibilities. Topical areas germane to the auditing cycle – risk assessment, annual audit planning and coverage, reporting results, issue follow-up and evaluation of internal audit resource requirements – should be aligned with the board’s agenda priorities and meeting frequency and be responsive to all topics in the committee charter that are relevant to internal audit’s scope. If the audit committee has risk oversight responsibilities, the future auditor is focused on the relevancy of the top-down, risk-based audit plan to the committee’s oversight priorities.
Prepares for the big question. Finally, the future auditor expects the question regarding how internal audit has added value and is prepared to respond. One idea on value: Always plan to incorporate an education piece in the audit committee package, such as an article, a few slides from a conference or a crisp, informative one-page summary of a particular opportunity or issue.
One added point: It is often helpful to understand the audit committee’s composition and various directors’ backgrounds (e.g., other board and management positions they hold and other companies they serve). The risks and external environment trends affecting those companies and the industries in which they operate present sources of questions the directors may raise. Directors with a “Big 4” background may receive their former employer’s thought leadership publications from which they source trends and topics for discussion with their peers on the board. Accordingly, it may make sense to stay current with that literature.
The above examples are intended to be illustrative in summarizing ways in which the future auditor positions his/her function to contribute value. They are not intended to be exhaustive.
The future auditor vision is all about taking concrete steps toward making the future state envisioned in the IIA definition of internal auditing a reality. In doing so, the future auditor enhances the value of the internal audit function. This perspective is important because, in our view, executive management’s and the board of directors’ expectations of the internal audit function continue to rise; therefore, progressive CAEs must continuously upgrade the capabilities of their functions to keep pace with higher expectations.
The CBOK study provides a context for the target. It suggests that audit committees desire the CAE and internal audit function to think more broadly and strategically, move beyond assurance to provide value-added consulting and advisory services and continue to deliver to expectations. To address these imperatives, we have suggested 15 ways in which the future auditor focuses on risk and value. Next week, we conclude our three-part series by addressing the future auditor’s focus on communications.