GUEST BLOG
One thing I know for certain … the times they are a-changin’ … and internal audit is no exception.
I spent the last several months interviewing many chief audit executives (CAEs) from all over the world to gain a better understanding of the current state of internal audit. What I found is that not only is the pace of change accelerating at an alarming rate, but along with the mounting internal audit challenges come plenty of opportunities too. From these interviews, and my own experiences as a CAE at two organizations, I have identified some clear trends, challenges, and opportunities that most CAEs are working to address.
For internal audit to meet these challenges and take advantage of the opportunities, its clear that it will have to get better at managing change, and not just periodic change, but constant change. This may not be an easy transition, but one that we must embark on if internal audit is to be considered relevant and a valuable part of the future. This also means addressing some of the elephants in the room many would rather ignore.
“Admit that the Waters Around You Have Grown”
Here’s a list of the internal audit challenges that present threats to the profession or cause sleepless nights for some CAEs. While it’s hardly a comprehensive list, it includes some of the changes and trends that we internal auditors simply can’t ignore.
Speed of Technology: Changing business models from technological advances are disrupting traditional organizations and just may be the existential threat to internal audit. Deeper knowledge and skills related to new technology used throughout the organization are needed, as well as understanding and adoption of technology tools for performing audits, such as robotic process automation (RPA), artificial intelligence (AI), and advanced analytics. As Karl Stingily, CAE of Caesars Entertainment said, “every auditor needs to have a basic understanding of IT, as it is embedded in every audit that we perform.”
♦ Cybersecurity: Cybersecurity is a critical issue for nearly all boards and senior managers, and, whether you know it or not, they are looking to internal audit to make sure everything is “OK.” Since cybersecurity is such a broad topic, and little direction is given on what internal audit is expected to do, scoping engagements is difficult.
“Internal audit needs to quit being an independent island and become an integrated part of the process, participating more with first and second line functions.”
— Daniel Clark, senior vice president and director of internal audit at Washington Trust Bank
♦ Downgrades to the CAE Position: Some organizations are pushing down the CAE position from vice-president to director or from director to manager, leaving internal audit to report lower in the organizational hierarchy. This is bad news if internal audit is to maintain influence in the organization. This harsh reality increases the need for internal audit to demonstrate value to senior management and the board, audit what matters most, and simply make the case for internal audit by achieving more “wins.”
♦ More Specialization: Increased technical and business skills are needed in internal audit, leading to the death of the general auditor. Internal audit departments will likely see more experienced, technically savvy auditors making up most of the department.
♦ Serving Two Masters: Internal audit has always had some challenge serving both the board and senior management—two groups that are not always aligned—and pull internal audit in different directions. The challenges around independence are real.
♦ Talent Acquisition: Finding enough people to fill open positions and finding people with the right skills is a challenge in the current tight job market and could be for some time. CAEs will need to be more creative, looking for candidates with non-traditional audit backgrounds and relying more on “guest auditors” to fill the gaps.
♦ Talent Development: Training current employees in technical and soft-skills is a constant challenge for CAEs. And soft-skills, such as communication and emotional intelligence, are more important than ever. Auditors who can do the work, but have difficulty communicating the results, will find themselves out of a job.
♦ Constant Justification: Nobody seems to care that last year you saved the organization millions of dollars. The “what have you done for me lately?” mentality requires CAEs to constantly justify their value to the organization, some of which is cost and risk avoidance that is difficult to calculate and quantify to the chief financial officer. Yet CAEs will need to prove return on investment to the organization or risk getting outsourced. (See, “Downgrades to the CAE Position” above.)
“Every auditor needs to have a basic understanding of IT, as it is embedded in every audit that we perform.”
— Karl Stingily, CAE of Caesars Entertainment
♦ Sarbanes-Oxley: Immediately after the passage of the Sarbanes-Oxley Act (SOX) internal audit spent an inordinate amount of time doing lower-level work around SOX compliance. Over time, some of that work transitioned to others in the organization, but new requirements from the PCAOB, which have led to shifting expectations of the board and senior management, means internal audit is being pulled back, kicking and screaming, into SOX compliance work.
“Keep Your Eyes Wide, the Chance Won’t Come Again”
While these hurdles will require some hard thinking, intestinal fortitude, and perhaps most of all the ability to abandon the old way of doing things and embrace change, there is some good news for those who take these challenges head on. That is that there are also plenty of opportunities for internal audit to differentiate itself, create value, and elevate the function in the organization.
Here are some of the opportunities. Again, its not a comprehensive list, but includes the topics the CAEs I talked to were most keen to discuss.
♦ Beyond Sampling: Moving away from a sampling methodology and techniques to full testing by using AI, RPA, and advanced data analytics could open many doors for internal audit. It provides the ability to automate processes, cut costs and time, and free internal audit to do more consulting and new, more value-added audits.
♦ Partnering with Management: Partner more with management to help correct problems and improve processes in real time, instead of highlighting problems after they occur. Be more relevant and add more value as a true business partner.
♦ Alignment: Better align the work of internal audit to the mission, vision, values, and objectives of the organization. Also, ensure alignment with enterprise risk management and other second line functions. Internal audit must focus attention on risk-based audits and define risks broadly, including strategic and emerging risks. Keep doing the same old audits at your peril.
“Communication is number one, hands-down!”
—Dan Smith, director of internal audit at Insteel Industries
♦ Integration: “Internal audit needs to quit being an independent island and become an integrated part of the process, participating more with first and second line functions,” says Daniel Clark, senior vice president and director of internal audit at Washington Trust Bank. Internal audit can maintain objectivity and still become plugged-in to what is happening in the company.
♦ Improved Staffing: Reverse the pyramid in staffing. Hire specialized, more experienced staff. Rely more on co-sourcing experts when a full-time equivalent isn’t justified.
♦ Forward-Looking Mindset: The board and senior management are relying more on internal audit to help them understand the risks on the horizon. This can also be seen as a challenge since, as Leah Ladley, CAE of St Jude Children’s Research Hospital explained, stakeholders expect internal audit “to have a crystal ball.” It doesn’t, of course, but it can improve its ability to develop a more forward-looking mindset. Spend more time talking to those throughout the organization about what they worry about, conduct scenario planning, and get out of the office to conferences and industry events.
♦ Technology: What is internal audit’s greatest challenge (See point one above) is also its greatest opportunity. Increase the use of AI and RPA to increase audit coverage and reduce time required on audit engagements. This will also free up time to focus on the bigger strategic-level risks that provide more value to the organization.
♦ Advocacy: Provide more advocacy and education to the various stakeholders within and without the organization. There is still a misconception by many of what internal audit does or what it could do. Hold “lunch and learn” events, invite stakeholders in for informal conversations before the audit begins to talk about goals and shared objectives, and celebrate wins, where the actions or findings of internal audit led to substantiated positive change.
“Please Heed the Call”
To cope with these challenges and opportunities, there is a real need to improve the knowledge, skills, and competencies of internal auditors. So which areas should we focus on first? “Communication is number one, hands-down,” said Dan Smith, director of internal audit at Insteel Industries, and something I heard from almost everyone. Here are some of the top training and development needs:
♦ Communication: All audit departments need auditors who are good at writing, speaking, influence, and persuasion.
Stakeholders expect internal audit “to have a crystal ball.”
— Leah Ladley, CAE of St Jude Children’s Research Hospital
♦ Technology Skills: While they are in high demand, auditors with better understanding of the IT environment, IT audit, and audit tools are essential, considering the points above. Internal audit may need to make the case for more resources to attract such talent.
♦ Critical Thinking: Critical thinking skills should be assessed during the interview process of every potential hire for internal audit, with no exceptions. Good old-fashioned logical reasoning skills appear to be in decline these days, but are certainly necessary in internal audit.
♦ Emotional Intelligence: The capacity to be aware of, control, and express one’s emotions and to handle interpersonal relationships judiciously and empathetically is a basic human skill sometimes lacking in the business world these days. IQ is important for obtaining degrees and certifications, but EQ is important for long-term career advancement.
♦ Data Analytics: Data analytics are becoming a more important part of every audit. Internal audit departments need to move past having the “analytics guy or gal”—who could walk out the door and take the department’s entire analytics capability with him or her—and move to ensuring most internal auditors have some proficiency in data analytics.
♦ Cybersecurity: Nearly every list of chief risks at companies includes cybersecurity, so internal auditors need to be well-versed in this critical area. They must understand the key points and the language so they can talk to tech and security experts and address problems.
While I realize much of this article has been a laundry list of some of the different internal audit challenges and opportunities we face and there is a lot to digest, these issues, if ignored, will only gain in importance and in their ability to sink the internal audit department.
These issues can also overwhelm CAEs. It was evident from my interviews that CAEs often feel alone, as if they are the only one dealing with these issues. One goal of this article is to let CAEs know they are not alone, but instead are dealing with some of the same issues as their peers around the world. Again, its important to get out and talk to other CAEs, whether through online forums, industry events, or conferences to talk about how others might be handling these same issues.
Also, there is a difference between the aspiration level of internal audit from the standards and what is actually practiced and practical to implement on a day-to-day basis. Internal audit looks different at different organizations and that is perfectly OK. Do what is best for you and your team, based on your particular facts and circumstances. Remember, it’s better to be on the ship and helping to steer it than to be relegated to the brig. Besides, it has to be built before you can audit it, so why not help build it (maintaining proper levels of independence and objectivity, of course.)
Since the world doesn’t need more problems, but instead solutions, going forward you’ll see me tackle many of these issues individually in more detail, with some practical advice.
Meanwhile, I leave you with a few more applicable words from Bob Dylan’s “The Times They Are A-Changin’:” “Don’t stand in the doorway, Don’t block up the hall, For he that gets hurt, Will be he who has stalled.” 
Jason Mefford is a rock star in internal audit, risk, and compliance. He serves chief audit executives and other professionals through training and coaching on technical and soft-skills needed to navigate organizational minefields. He is the president of Mefford Associates, co-founder of cRisk Academy, and lead trainer of Mefford CIA Review Course, in addition to being an author, speaker, musician, and podcast host.