Internal audit can add value in non-traditional areas, but fundamentals must take priority.
It’s true that most internal audit shops have embraced some profound changes in the past few years. The biggest transition has been, of course, to turn internal audit’s powerful ability to assess processes and evaluate controls on company functions outside the traditional internal audit focal points.
As part of the push to provide more value, internal audit has been adding things like product innovation, sales incentive plans, and culture to the audit plan, in addition (and in some cases instead of) such audit staples as financial reporting controls (SOX), accounting, and expense reporting. It has also strived to do more advisory work. And despite griping in some circles that internal audit should “stick to its knitting,” these efforts have been largely successful and have pushed internal audit’s influence well outside the finance department. Certainly there is no going back. Internal audit departments that don’t interpret their mandate more broadly and widen their scope risk becoming irrelevant.
There is, as you might have guessed, a big But… And that is that the internal audit departments that have most successfully pivoted from traditional internal audit topics mainly surrounding the reporting process to new audit frontiers like culture and marketing have done so only by first nearly perfecting those traditional audits. In other words, nail down those “meat and potato” internal audit topics and you can have the dessert of adding new and first-time audits to the internal audit plate and playing a more consultative role. These companies have used data analytics and continuous auditing tools to help solidify these traditional audit areas.
The allure of trying internal audit’s hand at assessing, say, the online advertising buy, or the talent acquisition process is strong and reflects internal audit’s desire to add more value and serve the business in a more strategic way. And most chief audit executives have added these areas or areas like them to the audit plan. Indeed, some CAEs report that they are being begged by some process owners in areas like marketing, sales, and HR to help them by providing internal audit’s keen analysis to their domains.
Conducting non-traditional and first-time audits is well and good, but a word of caution: don’t take your eye of the ball. There is a lot going on in traditional areas—such as accounting, tax, and compliance—that deserve internal audit’s attention. Major changes to the tax code, for example, deserve immediate attention from internal audit to ensure that compliance with the changes is getting completed properly. Other regularly changes, the increase in fraud, the still difficult to implement revenue recognition rules, and other developments in somewhat mundane areas can’t be ignored by internal audit.
These core internal audit areas shouldn’t be slighted to cover newer emerging risks or newfangled internal audit areas. Only when assurance has been provided in these areas, should internal audit explore new frontiers.
- Major changes to the corporate tax code
While many companies more than welcome the cut in the corporate tax rate from a maximum of 35 percent to a fixed rate of 21 percent, the speed with which the new law was passed and how quickly it has been implemented has forced companies to rapidly revamp their tax compliance programs. The changes in the overall rate got the headlines, but there are many other detailed changes that corporate tax departments need to implement, including lots of asset expensing and depreciation provisions, new limits on business interest deductions, changes to how overseas cash is taxed, and many others. Internal audit departments should plan on spending a lot more time auditing tax compliance this year than perhaps they had thought they would before the legislation was passed. - Revenue recognition rules and other accounting changes
Companies are still struggling with implementing the changes to revenue recognition rules that took effect at the start of the year. Numerous reports indicate that companies are still running into difficulties to implement the complex rules. Indeed, an Ernst & Young’s 2017 revenue recognition survey of 300 senior leaders found that 34 percent of CFOs said they’re at risk of falling behind schedule or had not begun, and 71 percent of CFOs said their revenue recognition programs were not yet complete. Internal audit should ensure that companies are now compliant with the rules and that the implementation has been completed successfully. Changes to lease accounting are slated to take effect at the start of 2019 and could also be challenging to implement. - Increase in low-level fraud
Fraud and security risks, including cyber-crimes, hit an all-time high in 2017, according to a new report from risk advisory firm Kroll. The survey finds that experiences of fraud have become more pervasive. The proportion of executives who said their companies fell victim to at least one instance of fraud over the past 12 months increased to 84 percent from 82 percent in the previous survey. Levels of reported fraud have steadily risen every year since 2012, when the reported occurrence was just 61 percent. Internal audit remains a top check on fraud, and when larger frauds are uncovered audit leaders will have to answer for why it wasn’t spotted earlier. - Increased FCPA prosecutions
Compliance with the Foreign Corrupt Practices Act must still be a priority for corporate compliance departments given the number of recent actions against companies that break the rules and the severe penalties they can incur. According to law firm BakerHostetler, 2016 and 2017 saw the biggest increases in FCPA actions since 2010 and prosecutors show no sign of backing off. Internal audit must ensure that their companies have instituted a robust anti-corruption program and that it is functioning properly. - Coming European General Data Protection Regulation (GDPR) Enforcement Deadline
Companies that do business in Europe or have customers or employees there will need to comply with a new set of European Union data protection and privacy laws. The EU General Data Protection Regulation (GDPR), which was adopted in 2016, will take effect in May 2018, subjecting most companies to its somewhat onerous provisions, including the right for individuals to ask companies to delete or make changes to their data. The GDPR was designed to enhance data protections for EU residents and to provide a framework for company usage of personal data of those who reside in the European Union, including non-citizens. It comes with hefty penalties for non-compliance. Fines for violating its provisions can run as high as 20 million euros ($22 million) or 4 percent of total global revenues, whichever is higher! Worse still are reports that many companies are still not prepared for GDPR. If that doesn’t get internal audit’s attention, I’m not sure what will.
You Have to Crawl Before You Can Walk
While audit committees expect internal audit departments to move into new frontiers, they don’t want them to expand without first ensuring that the fundamentals are covered. In fact a 2016 CBOK study, titled “Voice of the Customer: Stakeholders’ Messages for Internal Audit,” from the Institute of Internal Auditors, said as much. “Some stakeholders are concerned that being overly focused on advisory work will detract from internal audit’s primary focus on assurance. Advisory work can be challenging, rewarding, and an easy way to exhibit value from internal audit—and internal audit can be very, very good at providing it. But with limited resources, an increase in the focus on advisory work could result in insufficient assurance work,” the report’s authors wrote.
During an IIA conference last year, Larry Harrington, vice president of internal audit at Raytheon, and Angela Witzany, head of internal audit at Sparkassen Versicherung AG, a large insurance provider in Austria, examined eight important messages that stakeholders are sending to internal audit, and how the function can respond. Among those was the directive to put assurance work first.
Every internal auditor knows that advisory work is what gets the attention of senior management and can help internal audit make a name for itself, but it can’t come at the expense of assurance work, the panel cautioned. According to Witzany, assurance work is essential and must take precedence over advisory work. “I always get this question of what percentage of audit work should be assurance and what should be advisory,” she said. “The answer is that it depends on the organization. Every organization is different.”
Internal audit departments that are more mature, are staffed with internal auditors that really know the business, and aren’t stretched too thin might be able to take on more advisory work, she said, but only when they have first achieved excellence in assurance. “Only then is there room to add additional value to the organization in other areas,” said Witzany.
Internal auditors will only continue to feel the pressure to expand into non-traditional areas of audit and to conduct more advisory work. Indeed, audit committees and other stakeholders are likely to judge internal audit’s success on its ability to add value in new areas. But those that pursue such initiatives at the expense of basic internal audit functions do so at their own peril.