No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

Internal Auditors: Want to Ensure your Value and Relevance? Raise the Bar Within Your Profession

by Jim DeLoach
October 12, 2017
in Featured, Internal Audit
Internal Audit

Part 1 in a Series Exploring the “Auditor of the Future”

In this first installment, Protiviti’s Jim DeLoach and Brian Christensen discuss the nature of the relationship between the “auditor of the future” and the board of directors with respect specifically to risk – which remains central to the internal audit function.

with co-author Brian Christensen

Just over three years ago, Protiviti released an issue of The Bulletin which introduced what we called the “future auditor” vision.[1] This vision was then (and still remains) based on a definition framed by The Institute of Internal Auditors (IIA) which asserts that internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” The IIA’s definition points to an endgame to which every progressive chief audit executive (CAE) should aspire. It states that internal auditing “helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” The focus is unmistakably comprehensive.[2]

We used the term “future auditor” to describe a CAE who takes definitive steps toward making The IIA vision a reality within the organization he/she serves. Last year, another issue of The Bulletin[3] revisited the future auditor vision to corroborate its relevance against the increasing expectations of internal audit stakeholders, as reported by the Global Internal Audit Common Body of Knowledge (CBOK) survey.[4]

Below, we explain the future audit vision and then begin a three-part series that discusses the future auditor’s advancement of the audit committee relationship.

The Future Auditor Vision

When we articulated the future auditor vision in 2014, we suggested he/she:

  • Is positioned to be objective with regard to the enterprise’s operating units, business processes and shared functions and is vested with a direct reporting line to the board of directors or a committee of the board;
  • Understands the organization’s business objectives and strategy and identifies risks that create barriers to the organization’s achieving its objectives and executing its strategy successfully;
  • Is authorized to evaluate and challenge the design and operating effectiveness of the organization’s governance, risk management and internal control processes that address its critical risks and creates value by making recommendations to strengthen those processes and keeping the appropriate executives and directors informed regarding open matters;
  • Uses a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;
  • Articulates the value contributed by a risk-based audit plan to the organization, providing an assurance perspective that the board and executive management can understand;
  • Maximizes the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and
  • Possesses escalation authority and proactively exercises that authority to bring important matters to the attention of executive management and the board on a timely basis.

With these responsibilities and independent positioning in place, the future auditor’s relevance is assured. He/she is recognized throughout the organization as a positive change agent and provides a valued source of objective insights to executive management and the board regarding the critical enterprise risks, risk management capabilities and opportunities for improving the effectiveness and efficiency of activities that matter most to the organization’s success.

To some stakeholders and practitioners, the above responsibilities may be nothing new and merely depict what CAEs are doing now or should be doing. We agree that some CAEs, particularly in financial services, actively embrace the future auditor vision. Our view is that every CAE has the opportunity to self-assess his/her value against the future auditor vision and determine whether gaps exists and, if so, whether such gaps are due to positioning, scope or skill sets.

No doubt, operating the internal audit function in accordance with the profession’s standards[5] is vitally important. That said, in this three-part series, we elaborate on the future auditor’s advancement of the relationship with the audit committee of the board of directors (or its equivalent) on three distinctive but interrelated fronts: risk, value and communications. Our thinking is derived from our various client experiences, as well as from roundtables we have facilitated with seasoned CAEs. Of necessity, the interrelated nature of the three fronts gives rise to ideas that overlap to some extent. This first installment of the three-part series focuses on risk.

The Focus on Risk

The future auditor views risk comprehensively through the lens provided by the organization’s business objectives, strategy and operating model as a context for developing and executing a top-down, risk-based audit plan. The future auditor reaches beyond the traditional internal audit scope on operational, compliance and financial reporting matters in a variety of ways:

Thinks strategically. By identifying risks that create barriers to the organization’s achievement of  its objectives, the future auditor takes the high road of applying a strong business context and strategic thinking when engaging key stakeholders. This approach directs attention to the risks that truly matter to executive management and directors. With the organization’s strategy and business model as a context when proposing top-down, risk-based audit plans and evaluating risks and risk management capabilities, the future auditor can engage in high-end, high-touch activities such as facilitating management’s risk appetite dialogue, assessing the continued validity of strategic assumptions and evaluating the organization’s strategic alignment and progress toward executing the strategy.

Fosters early alert reporting. Alerting management about emerging risk issues is a high priority for the future auditor, whether through existing processes and systems supporting activities targeted in the audit plan or through mechanisms instituted by the audit team. Offering insights on changing environment, regulatory and risk scenarios is critical in these volatile times.

Considers the “unknown unknowns.” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Risk assessments influenced by groupthink, overconfidence and dwelling on past trends and experiences rather than by a forward-looking process which emphasizes current and anticipated dynamics lead to rehashing proverbial “known knowns” on a risk map year after year. Shuffling known risks around on a map adds little insight for decision-making unless there are inherent challenges with managing them. Accordingly, the future auditor’s audit plan emphasizes the identification of key issues of which management and directors may not be aware.

In doing so, the future auditor undertakes a comprehensive risk focus. Therefore, consideration of issues affecting execution of the strategy is of paramount importance (e.g., changes to the company’s risk profile; assessment of how new technological trends are impacting the business model; evaluation of the enterprise’s ability to respond to the unexpected; and identification of significant non-financial reporting, operational and compliance issues).

Serves as the watch guard of risk culture. From time to time, the future auditor may use self-assessment techniques, internal surveys, focus groups and other techniques in addition to audit procedures (risk culture audits) to understand the current state of the entity’s risk culture, ascertain whether any significant gaps exist versus the desired culture and identify specific steps to rectify those gaps. Gaps may arise from such matters as unusual risk-taking; inappropriate compensation incentives; delays in remediating control deficiencies; effects of attrition and budget cuts on the control structure; evidence of eroding core values; and continued significant policy violations.

Strengthens lines of defense. The future auditor focuses on the performance of the primary risk owners and independent risk management and compliance functions in fulfilling their respective responsibilities as the first and second lines of defense. If necessary, the auditor provides an effective challenge to these parties through observations and recommendations for improving their effectiveness in discharging their responsibilities. He/she also considers the effectiveness of escalation protocols in elevating significant issues to senior management and the board for timely resolution.

Maintains vigilance against fraud. The future auditor conducts periodic risk assessments and evaluations of the organization’s anti-fraud and corruption program using data mining and analytics techniques applied to transactional data. These reviews enable the auditor to obtain insights into the operating effectiveness of internal controls and identify indicators or patterns signifying possible fraudulent activity requiring further investigation.

The focus on risk lies at the core of much of what internal audit is expected to do. Applying a risk lens to the formulation and execution of the audit plan and reporting on its results enable the future auditor to evaluate enterprise risk, engage in constructive interactions with key stakeholders and contribute to the risk topics of interest to the C-suite and board.

Summary

We have explained the vision of the “future auditor,” our view of the CAE who takes definitive steps to apply the full scope of The IIA’s definition of internal auditing. CAEs who embrace the future auditor vision are better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented and highly adaptive behavior. Now is the time to raise the bar for the profession. It is up to progressive CAEs to take the lead and show the way to reach the profession’s full potential as a discipline.

In introducing the future auditor, we have suggested that he/she advances the relationship with the audit committee on three interrelated fronts – risk, value and communications. Above, we discussed the focus on risk. Next week, we will discuss the focus on value.

Read Part 2 here.

New Call-to-action

_____________________

This article is based on information detailed in The Bulletin (Volume 6, Issue 7), available at www.protiviti.com.

[1] “The Future Auditor: The Chief Audit Executive’s Endgame,” Issue 6 of Volume V of Protiviti’s The Bulletin, April 2014, available at www.protiviti.com/US-en/insights/future-auditor.

[2] See the institute’s definition of internal auditing at the following site: www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/?search%C2%BCdefinition.

[3] “The Future Auditor Revisited,” Issue 3 of Volume VI of Protiviti’s The Bulletin, July 2016, available at www.protiviti.com/US-en/insights/bulletin-vol-6-issue-3.

[4] Available at https://global.theiia.org/iiarf/pages/common-body-of-knowledge-cbok.aspx.

[5] See https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx for The Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing, effective January 1, 2017.


Previous Post

TRACE Releases Updated Edition of the TRACE Bribery Risk Matrix

Next Post

Leveling the Playing Field on Compensation

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

robot nurturing a good idea

Innovation vs. Compliance: In the Age of AI, Why Not Both?

by Asha Palmer
June 17, 2025

As governments scramble to regulate AI, forward-thinking companies are writing their own compliance playbooks

human robot working as team pie chart

Smart Machines, Smarter Humans: Why Compliance Still Needs a Human Touch

by Roman Eloshvili
June 17, 2025

From the 2008 financial crisis to everyday judgment calls, the case for keeping humans in the compliance loop

data privacy leader concept

Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

by Daniel Barber
June 16, 2025

As state privacy laws multiply and AI introduces new vulnerabilities, the question isn't whether you need dedicated privacy expertise —...

abstract obscured data colorful

NIST’s Differential Privacy Guidelines: 6 Critical Areas for Secure Implementation

by Michelle Drolet
June 16, 2025

Standard de-identification methods remain vulnerable to sophisticated attacks, but differential privacy offers mathematical guarantees that scale with emerging threats

Next Post
pink and blue figures on unequal stacks of coins

Leveling the Playing Field on Compensation

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights