A recent report by PwC is making some waves in the internal audit community. The study, "State of the Internal Audit Professional," found that less than half (44 percent) of the board members and company executives it surveyed think that internal audit adds significant value, down from 54 percent last year. The news is likely to sound alarm bells among internal audit leaders who thought they were making progress on the goal of adding value, not regressing.
The PwC report notwithstanding, many internal audit departments are increasing the value they add to the business. Indeed, the same study found that 18 percent of respondents say the internal audit function "plays a valuable role in helping their companies anticipate and respond to business disruption."
Internal auditors realize they must pay closer attention to what their stakeholders—namely boards and executive management—expect of them and whether these expectations are being met. During a recent internal audit conference by the Institute of Internal Auditors, Larry Harrington, vice president of internal audit at Raytheon, and Angela Witzany, head of internal audit at Sparkassen Versicherung AG, a large insurance provider in Austria, examined eight important messages that stakeholders are sending to internal audit, and how the function can respond.
The discussion drawls from a CBOK study and report published last summer by the IIA's Internal Audit Foundation and authored by Harrington and Witzany, who also serves as chair of IIA's global board of directors. The purpose of the study, according to the authors, was to focus "on the recommendations from stakeholders on the best practices internal auditors should consider in their quest to continually improve performance and bring value to their organizations."
The thrust of that message is don't stand still. Internal audit must evolve to meet the needs of a constantly shifting business environment. "Stakeholders are challenging us to get out of our swim lanes," said Brian Christensen, executive vice president of global internal audit at Protiviti, who also took part in the panel discussion. "We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on."
The panel identified the following eight messages from stakeholders that internal audit must take heed of and respond:
1. Know your organization's mission, strategy, and objectives
While most internal auditors probably have a solid understanding of the mission, strategy, and objectives of the company, does that understanding align with how the board and C-suite see these critical elements? "The difficult part is how do we get stakeholder's perspective on the strategy and objectives of the organization, and that is why we have to be proactive and to really listen to our stakeholders and communicate well," said Witzany. She suggests internal audit "audit from the perspective of the CEO."
In order for internal audit to make the most of the limited resources it has, it most focus its efforts on the activities that support the main objectives and strategy of the organization. Naturally, it can't achieve that focus if it doesn't have a deep understanding of what those strategies and objectives are. "Help stakeholders recognize that you understand the business, framing your communication with them within the context of strategy and objectives," the authors of the CBOK report wrote.
2. Assurance work should come first
Every internal auditor knows that advisory work is what gets the attention of senior management and can help internal audit make a name for itself, but it can't come at the expense of assurance work, the panel cautioned. According to Witzany, assurance work is essential and must take precedence over advisory work. "I always get this question of what percentage of audit work should be assurance and what should be advisory," she said. "The answer is that it depends on the organization. Every organization is different."
Internal audit departments that are more mature, are staffed with internal auditors that really know the business, and aren't stretched too thin might be able to take on more advisory work, she said, but only when they have first achieved excellence in assurance. "Only then is there room to add additional value to the organization in other areas," said Witzany.
3. Ensure assurance work is closely aligned to the strategic risks of the organization
The next step is to link that assurance work to the first point, the strategic risks of the business. "What we have to do is link our assurance work to the mission, strategy, and objectives of the organization," said Witzany.
The panelists discussed how this stakeholder expectation means that audit must push into new areas of strategic importance to the business. It doesn't mean, however, that internal audit can abandon traditional areas. "This does not mean internal audit ignores financial, operational, or compliance risks. In almost all cases, these risks are directly linked to the organization's strategy. The key is being able to link these 'traditional' risk areas to strategy," the report's authors wrote.
"One of the things we need to be thinking about is: what are we doing as chief audit executives to engage our team to think big picture?" asked Harrington. "How do we get them to think about where the business is, where it's going, and what the strategy is?" Harrington said that it's not just for the CAE to think strategically, but for the whole internal audit function.
4. Focus advisory activities on risk identification and management
Internal audit departments that are advancing into advisory work should target that work and focus on core competencies. Respondents to the CBOK stakeholder study indicated that assistance in managing risk should be at the top of that list. "The message from stakeholders is clear—when looking beyond assurance, they believe internal audit can be most valuable to organizations by being involved in risk identification and management," the report's authors wrote.
"Stakeholders expect us to be thinking about the risks that are around the corner and having that dialogue with both management and the board," said Harrington. He said CEOs are reading the Wall Street Journal and asking, "Could this happen to us?" "They expect us to be having that conversation," said Harrington. "You don't want to get that call from the CEO and not have already been thinking about that issue and be already aware of it," he added.
5. Coordinate with the second Line of defense
Stakeholders expect internal audit to communicate closely with the second lines of defense, such as compliance and risk management, to avoid duplicating work or fostering a siloed approach to risk management. Board members and top executives don't want to have to wade through multiple reports from different functions that cover the same territory. There is also the concern, says Witzany, of "audit fatigue," when multiple functions are assessing the same processes in an organization.
One way to coordinate activities, the panelists suggested is to ensure that those second lines of defense and internal audit are all speaking the same language. It may be as simple as using the same terms to describe the same things or making sure the departments are in agreement when it comes to identifying the key risks and how they are assessed. At Sparkassen Versicherung, for example, Witzany said internal audit meets with second-line departments, such as compliance, on a monthly basis to talk over the top issues.
The report's author's also sounded a note of concern here: "But cooperation is not without caution. Many stakeholders appreciate that internal audit is different from second line of defense functions. In some cases, the function is robust and well run, allowing extensive reliance in an integrated model. In other cases, reliance is inappropriate," they wrote.
6. Ensure reporting structure is working properly
While internal audit may have limited control over how the reporting lines are structured at the company, the chief audit executive shouldn't live with a reporting structure that isn't working. According to the report, board and C-suite stakeholders want to know if internal audit leaders don't think the structure is providing the independence they need to do their jobs or if lines of communication don't seem to be open in both directions. "If the reporting structure is not working, reconsider it and talk to your stakeholders about how it can be improved," said Witzany.
7. Build strong relationships within the organization
"A strong relationship makes the difference, but this takes time," said Witzany "It's only when you get different views and perspectives that it makes it much easier to compromise." Here, Witzany advocates a Goldilocks approach. "You can't be too close, but you can't be too far either," she said. "It has to be a balance. The key is achieving a relationship where there is trust."
According to Harrington, internal audit leaders must build strong relationships with the entire board so they can win its support and the board can act as a champion for internal audit. "Building those relationships is so important because we have to recognize that we need each other," said Harrington.
"Leading internal audit departments will be the ones who are building a brand where people see internal audit not as the people who always say what isn't right, but the folks who can help drive change because they can look at how our business is performing against benchmarks in other industries, they can help take costs out of the business, help challenge strategy, and think about pitfalls before we get to them," said Harrington.
8. Enhance communication skills
Harrington emphasizes how important it is to communicate well not just with the audit committee, but with the entire board. "It's all about brand and how they perceive us," he said. One of the top action items for the panel was to consider the quality, frequency, and methods of communication with stakeholders.
"There is not time for us to become complacent as internal auditors," said Witzany. "We have a lot to do to respond to the voice of our customers and to the voice of our stakeholders." As the PwC report indicates, there is much work indeed. Boards and top executives expect a lot of internal audit. Listening to and understanding those expectation may be the first step to getting the perception that internal audit adds significant value headed back in the right direction.