Internal Audit Pushes Beyond the Tipping Point

Forces are pushing multiple business departments to be more agile in their day to day operations, and internal audit is no exception.

Faced with an ever-changing list of risks, internal audit is tasked with becoming more nimble, more strategic and more data-driven.

Last month, I spoke to IIA Sweden in Stockholm about the changes to the International Professional Practices Framework (IPPF), including the new Mission and Principles for internal auditing.

The theme continued later that day, when I made presentations to Swedbank on "auditing what matters" and "communications that matter."

Businesses pushing for agility from their internal audit need to understand what they're charged with doing, and then assess if they have the capabilities needed to deliver.

6 Principles of Internal Audit

I focused on some key words in the Principles:

Assurance
Advice
Insights
Communicate
Proactive
Future-focused

Assurance

We all understand what "assurance" means: providing the board and top management the assurance they need that the organization’s people, processes, systems and organization (which include related controls) are sufficient to manage risks to the enterprise objectives.

In other words, the organization is capable of delivering the performance and results needed for success.

Advice

When opportunities for improvement arise, even when what is in place is acceptable, internal audit can and should help identify and make a business case for taking them.

Insights

"Insights" is new to the lexicon of internal audit. Internal audit should have the capability of forming and express professional opinions in order to open up healthy debate. I wrote further about this topic in What do the auditors really think?

Communicate

The Standards do not require an audit report – they require that the results be communicated to stakeholders. Communication must be clear, easy to read, timely and actionable.

Internal audit needs to tell them what they need to know, not what audit wants to tell them.

There’s a huge difference between what they need to know and what is traditionally included in an audit report! The other key thing is that communication must be timely. It needs to tell them what they need to know when they need to know.

Proactive

Internal auditors have been proactive for a long time, not waiting for new systems to be implemented before they contribute their advice and insight on whether the resulting controls and security will be adequate.

Future-Focused

"Future-focused" is another addition to the internal audit lexicon. Internal audit must leave the past behind, leaving the auditing of history and conduct of post-mortems to others, to focus on how they can help the organization today and tomorrow.

Instead of auditing how the risks of yesterday were managed (and pointing out the failures of the past), help with the risks the organization faces today and will face over the next 12 months or so. This approach is far more constructive and valuable.

Learning Opportunities

Webinar

Discover the challenges that contact centers, AX, and CX face and how CAI-assisted applications can help solve them

Jun

The Future of Contact Centers with AI at the Helm

Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX

Webinar

How brands can deliver video experiences in many different ways using Cloudinary

Jun

Learn How to Deliver Dynamic Video Experiences at Scale

Learn how to convert existing assets into video experiences in near real-time.

Webinar

What data should be collected to achieve meaningful engagement

Jun

3 Steps to Unlock Your Customer Data and Drive Revenue

Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.

Webinar

it’s ultimately the digital experiences you create that will drive the clicks and conversions that you want

Jun

Retail Reinvented: A Masterclass in Creating Digital Experiences That Click

Hear how online retailers architect their digital experience infrastructure for peak traffic and demand

Webinar

Discover the vital role of continuous feedback in personalization success

Jun

The Feedback Loop: Accelerating Personalization for Exemplary Customer Experiences

Are you ready to harness the power of feedback in your personalization strategy?

Webinar

Creating a one-on-one conversation with your customers

Jun

How to Succeed in Today's Engagement Economy

Doing true personalization at scale with marketing automation

Webinar

Jun

The Future of Contact Centers with AI at the Helm

Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX

Webinar

Jun

Learn How to Deliver Dynamic Video Experiences at Scale

Learn how to convert existing assets into video experiences in near real-time.

Webinar

Jun

The Future of Contact Centers with AI at the Helm

Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX

Webinar

Jun

Learn How to Deliver Dynamic Video Experiences at Scale

Learn how to convert existing assets into video experiences in near real-time.

Webinar

Jun

3 Steps to Unlock Your Customer Data and Drive Revenue

Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.

Webinar

Jun

The Future of Contact Centers with AI at the Helm

Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX

Too often, internal auditors have criticized management for past mistakes instead of looking at how the organization is moving forward.

Agile Internal Audit

Before you can assess and comment on whether internal audit has the necessary capabilities, you have to establish what you need to do.

As usual, Jim DeLoach, managing director of Protiviti makes some excellent points in 2016 Internal Audit Capabilities and Needs Survey. As he writes in the introduction:

“Internal audit has arrived at a tipping point. The issue is no longer whether your function is evolving, but rather how quickly and effectively it is transforming for the future towards a more strategic, collaborative and data-driven mode of operation while maintaining the highest quality of performance.”

While this is true, I don’t think it paints a complete picture:

This ‘tipping point’ is not new. The imperative for change has been recognized for a number of years and I am pleased to see many IA functions (including my friends at Swedbank) taking huge strides forward
Internal audit needs to be agile, not just (as in the Protiviti piece) in its mining and use of data, but in its ability to change direction as risks change. Agile implies small steps, so the full-scope audits of the past need to be replaced by nimble audits focused on specific risks to the enterprise
In particular, we need to provide assurance, advice and insight at the speed of the business — when it is needed by the leaders of the organization. This may require significant re-thinking of how quickly we can obtain that information and share it with stakeholders. How can we use new technologies to replace traditional audit report and communication methods?

DeLoach's report includes some excellent content, presented well — everybody read it.

But should it lead with cyber, when massive change to traditional IA methods is needed? While cyber is important, it’s the flavor of the day and IA needs to be prepared to deal with all risks as they appear or become significant — in a way that is seen by the board and management as contributing to their decision-making and running of the business.

Do we have the capabilities to function at this new level? That is the real question for me.

I welcome your thoughts.

Editor's Note: Hear more of Norman's thoughts on risk at Risk Reimagined, taking place in Chicago on April 22 and London on May 10

fa-solid fa-hand-paper Learn how you can join our contributor community.