Final Reflections on Internal Audit’s Decade of Progress
December 30, 2019Internal Audit Alert: The Next Battlefield May Engulf Your Cyber Networks
January 13, 2020Loyal readers of “Chambers on the Profession” know that the first blog post of the year traditionally offers five New Year’s resolutions for internal auditors. This year’s list leverages heavily what we learned in 2019 to better position internal audit and our organizations to succeed.
The IIA published two landmark reports in 2019 that offered new and unique insights about risk management and sound organizational governance — and the role internal audit should play in supporting both. OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk presented a singular look at how the board, executive management, and internal audit align on managing key risks. The American Corporate Governance Index (ACGI) provided a governance report card on publicly traded U.S. companies. While The IIA prepared both reports primarily for its members in America, I am confident that the themes that emerged have global applicability.
These reports offer a wealth of data that supports audit planning and effective risk management. They also helped shape my thoughts about resolutions for the New Year. Therefore, without further ado, here are five internal audit resolutions for 2020 and beyond.
Speak candidly with the Board about the organization’s true capacity to manage risks. I believe one of the most valuable findings of the OnRisk 2020 report is that boards are overconfident and generally perceive higher levels of maturity in risk management practices in the organizations they oversee. This should raise serious questions about whether boards have realistic views on key risks and the organization’s ability to manage them.
Internal audit cannot defer to others the need to correct any misperceptions that may exist. Whether speaking through the audit committee chair or directly to the board, chief audit executives should begin a dialogue on this issue. It is important to position this conversation as one where internal audit offers its insights and advice about the organization’s risk management alignment, and not point fingers at those to blame for any misalignment.
Assess the organization’s sustainability risks, and discuss with management and the board. The publication of the ACGI in December by The IIA and the University of Tennessee’s Neel Corporate Governance Center was long overdue. I have come to believe that corporate America’s indifference to sustainability is itself not sustainable. However, there is room for optimism.
There is growing realization among corporations about the importance of sustainability, especially as investors increasingly tie their financial support to organizations that can show long-term value creation, and not just short-term gains. Internal audit must take advantage of this by understanding and assessing sustainability risks, including the accuracy of sustainability reports that address an organization’s economic, environmental, and social impacts.
Enhance how we tell internal audit’s story. One of the biggest challenges practitioners face is showing stakeholders how internal audit adds value. As discussed in the previous resolution, corporate leaders often focus on short-term goals and immediate risks. They may not appreciate the value that independent assurance and an organizationwide perspective offer over the long term.
As we head into the new decade, recession is the No. 1 risk concern cited by CEOs globally, according to the Conference Board’s 2020 CEO Challenge survey. If there is an economic downturn, executive management undoubtedly will look for ways to cut costs. This is why we must show internal audit’s value before the belt tightening begins. There is no downside to being more articulate about how internal audit adds value.
Therefore, our goal must be to improve how we tell our story. Two quotes are appropriate here. Harvard University professor Howard Gardner calls stories “the single most powerful weapon in a leader’s arsenal.” This means we need to be clear and compelling in how we make the case for internal audit adding value. The second quote comes from entrepreneur and marketer Seth Godin who says, “Marketing is no longer about the stuff that you make, but about the stories you tell.” Ultimately, the “stuff” internal audit makes improves organizations, but that won’t matter if we don’t enhance how we tell our story.
Improve our use of and credibility around RPA and AI. Corporate boards and executive management that understand technology can improve operations, provide a competitive edge, and influence strategy. Internal auditors must show our stakeholders we can adopt and adapt technology to improve the work we do, as well.
Robotic process automation (RPA) and artificial intelligence (AI) are working their way into internal audit processes, but the pace has been slow. Just 19% of functions report using RPA and 17% use AI, according to Protiviti’s 2019 report, Embracing the Next Generation of Internal Audit. What’s more, no other next-generation technology, including continuous monitoring, Agile auditing, and advanced analytics, top 30% adoption rates.
Simply put, we must do better.
Hone in on risks related to data ethics. As the use of data by organizations increases, so will the risks associated with how it is gathered, managed, used, and protected. It is inevitable that regulation on data will evolve. Indeed, public scrutiny on organizational conduct relating to data is increasing.
For these reasons, internal audit must step into a leadership role in educating stakeholders on risks related to data ethics. We can start by encouraging management to develop guideposts that measure whether the organization’s use of data aligns with risk tolerance, and then provide assurance around adherence to those guideposts.
The new year offers significant opportunities, as outlined in these five resolutions. If we can embrace them and make steady progress, our 2030 vision of becoming universally recognized as indispensable to effective governance, risk management, and control can be attained.
As always, I look forward to your comments.
I welcome your comments via LinkedIn or Twitter (@rfchambers).