Forces are pushing multiple business departments to be more agile in their day to day operations, and internal audit is no exception.
Faced with an ever-changing list of risks, internal audit is tasked with becoming more nimble, more strategic and more data-driven.
Last month, I spoke to IIA Sweden in Stockholm about the changes to the International Professional Practices Framework (IPPF), including the new Mission and Principles for internal auditing.
The theme continued later that day, when I made presentations to Swedbank on "auditing what matters" and "communications that matter."
Businesses pushing for agility from their internal audit need to understand what they're charged with doing, and then assess if they have the capabilities needed to deliver.
6 Principles of Internal Audit
I focused on some key words in the Principles:
We all understand what "assurance" means: providing the board and top management the assurance they need that the organization’s people, processes, systems and organization (which include related controls) are sufficient to manage risks to the enterprise objectives.
In other words, the organization is capable of delivering the performance and results needed for success.
When opportunities for improvement arise, even when what is in place is acceptable, internal audit can and should help identify and make a business case for taking them.
"Insights" is new to the lexicon of internal audit. Internal audit should have the capability of forming and express professional opinions in order to open up healthy debate. I wrote further about this topic in What do the auditors really think?
The Standards do not require an audit report – they require that the results be communicated to stakeholders. Communication must be clear, easy to read, timely and actionable.
Internal audit needs to tell them what they need to know, not what audit wants to tell them.
There’s a huge difference between what they need to know and what is traditionally included in an audit report! The other key thing is that communication must be timely. It needs to tell them what they need to know when they need to know.
Internal auditors have been proactive for a long time, not waiting for new systems to be implemented before they contribute their advice and insight on whether the resulting controls and security will be adequate.
"Future-focused" is another addition to the internal audit lexicon. Internal audit must leave the past behind, leaving the auditing of history and conduct of post-mortems to others, to focus on how they can help the organization today and tomorrow.
Instead of auditing how the risks of yesterday were managed (and pointing out the failures of the past), help with the risks the organization faces today and will face over the next 12 months or so. This approach is far more constructive and valuable.
Too often, internal auditors have criticized management for past mistakes instead of looking at how the organization is moving forward.
Agile Internal Audit
Before you can assess and comment on whether internal audit has the necessary capabilities, you have to establish what you need to do.
As usual, Jim DeLoach, managing director of Protiviti makes some excellent points in 2016 Internal Audit Capabilities and Needs Survey. As he writes in the introduction:
“Internal audit has arrived at a tipping point. The issue is no longer whether your function is evolving, but rather how quickly and effectively it is transforming for the future towards a more strategic, collaborative and data-driven mode of operation while maintaining the highest quality of performance.”
While this is true, I don’t think it paints a complete picture:
- This ‘tipping point’ is not new. The imperative for change has been recognized for a number of years and I am pleased to see many IA functions (including my friends at Swedbank) taking huge strides forward
- Internal audit needs to be agile, not just (as in the Protiviti piece) in its mining and use of data, but in its ability to change direction as risks change. Agile implies small steps, so the full-scope audits of the past need to be replaced by nimble audits focused on specific risks to the enterprise
- In particular, we need to provide assurance, advice and insight at the speed of the business — when it is needed by the leaders of the organization. This may require significant re-thinking of how quickly we can obtain that information and share it with stakeholders. How can we use new technologies to replace traditional audit report and communication methods?
DeLoach's report includes some excellent content, presented well — everybody read it.
But should it lead with cyber, when massive change to traditional IA methods is needed? While cyber is important, it’s the flavor of the day and IA needs to be prepared to deal with all risks as they appear or become significant — in a way that is seen by the board and management as contributing to their decision-making and running of the business.
Do we have the capabilities to function at this new level? That is the real question for me.
I welcome your thoughts.
Editor's Note: Hear more of Norman's thoughts on risk at Risk Reimagined, taking place in Chicago on April 22 and London on May 10