Chief Audit Executive Forum ‒ Perspectives on Internal Audit based on Shared Experiences - Session 2 The consequences of COVID–19 have changed the risk landscape. Internal audit functions are finding more than ever that they need to be closely aligned with, and responsive to, rapidly evolving business demands and priorities. Increasingly, they need to operate in more flexible and agile ways to remain relevant and support their organisation. Our Chief Audit Executive (CAE) Forum meets regularly online to exchange ideas about how to manage the audit process through and beyond the current pandemic. Topics Board Matters Internal Audit and Corporate Governance IT Management, Applications and Transformation Risk Management and Regulatory Compliance Business Performance Data, Analytics and Business Intelligence Digital Transformation Key Takeaways: Boards are likely to welcome aligned assurance reporting as it gives a broader picture of all of the risks faced by their organisation The Brydon Report[1] provides an opportunity for CAEs to step up and deliver more value to their organisations by owning the process of producing an audit and assurance policy. The horizon for audit planning and reporting has shortened because of the unpredictable eco system within which businesses are operating, which means dynamic reporting and monitoring are more important than ever There is an increasing recognition and focus on the use of enabling technology and the resourcing decisions to support this versus traditional operating models The stories behind the numbers The session on 6th November focused on the findings of the most recent in the annual Protiviti Internal Audit Capabilities and Needs Survey series, The Future Auditor Has Arrived. The survey, the 15th in the series, was completed in late 2019 and early 2020 and looked at how audit functions are embracing the key pillars of Next Generation Internal Audit: governance; methodologies; and underlying technologies. There were four key findings from the study: Next Generation internal audit competencies need to be prioritised rather than marginalised – especially enabling technologies. Fewer internal audit groups are undertaking some form of innovation or transformation, but the maturity of these capabilities has increased. Audit Committees want CAEs to communicate how their transformation and innovation are resulting in more coverage of risks and deeper audit reviews. In addition to next generation internal audit competencies, top audit plan priorities include cyber threats, enterprise risk management, fraud and third-party risks. The research, with 800 respondents largely drawn from audit functions, looked at how the whole group rated their governance capabilities against four vectors: aligned assurance, internal audit strategic vision, resource & talent management, and organisational structure. Each scored their competency on a scale of 1-5, with 1 being the lowest and 5 being the highest. It then compared the scores with ratings given by CAEs only, identifying that while this second group of scores were understandably higher given their experience and knowledge, the area that all respondents felt was in need of improvement was aligned assurance. Area evaluated Total group CAEs only Aligned assurance 2.8 3.1 Internal audit strategic vision 3.3 3.4 Resource & talent management 3.1 3.6 Organisational structure 3.2 3.5 Source: The Future Auditor Has Arrived, Protiviti, 2020 An independent consultant commented on the findings. She said that CAEs are right to see aligned assurance as an area for prioritisation. They have a real opportunity to take a lead in explaining to the board how it would work, in language that makes its benefits to the organisation clear. She further observed that there had been a disparity during the pandemic between companies that had responded by investing in resources and technology - such as data analytics - to deliver those benefits, and those that hadn’t. Those that had would be in a stronger position to respond effectively to the independent review carried out by Sir Donald Brydon[1] into the quality and effectiveness of audit. One of the 10 recommendations from the Review was that boards should produce an audit and assurance policy, including a three-year rolling plan that would be approved by shareholders. The policy would necessarily be more detailed for the first 12 months and be clear that flexibility would be required. The importance of the policy gives CAEs the chance to step up and take a lead in what could be a game-changing process for the profession. Agility and flexibility Since research for Protiviti’s report was undertaken before the pandemic dominated the business environment, it’s likely that the finding about fewer innovation and transformation projects may have moved on, as so many audit teams needed to adopt more agile and flexible processes to keep the board updated. One group CAE added that it may have been easier for smaller companies to pivot quickly when they needed to, since they had ready access to the board and fewer decision makers to consult. By concentrating on the elements that were really vital, as well as automating data analysis, his team had also had more time to focus on the most important outcomes. It may be easier for larger audit teams to evolve iteratively, rather than making wholesale changes overnight, said a former senior auditor at a major investment bank. It’s also critical to interact with stakeholders and articulate what you are hoping to achieve through innovation and technology, so they have a clearer understanding of why you are proposing to take those steps. The next section of the research looked at how respondents rated themselves around methodologies across four areas: agile audit approach, dynamic risk assessment, high-impact reporting and continuous monitoring. The differential between scores given by the whole group and CAEs only was much smaller in this case. Again, COVID-19 may have accelerated adoption of these methodologies further since the research was undertaken. Area evaluated Total group CAEs only Agile audit approach 2.7 2.8 Dynamic risk assessment 2.8 2.8 High-impact reporting 2.8 2.9 Continuous monitoring 3.1 3.1 Source: The Future Auditor Has Arrived, Protiviti, 2020 Forum attendees concurred that the horizon for audit planning and reporting had shortened, especially when trading conditions keep changing in line with pandemic-related lockdowns that can change working arrangements. There was a further question about how audit teams would be able to reconcile Brydon’s recommendations for a three-year policy with this need to be agile. It was reiterated that while the policy would create obligations and expectations with shareholders, the policy would need to state that plans could change in response to severe risks. Integrated audit and assurance reporting, which some attendees said was already happening in their organisations, would be welcomed by stakeholders, especially when the same people sit on both committees. This approach would give them a chance to sign off on both reports and see the whole context of risk right across the organisation. Technology at play The third element of Protiviti’s research considered how audit professionals viewed their competencies in the use of enabling technologies. The scores were again closer between the two groups than for governance. Area evaluated Total group CAEs only Robotic process automation 2.1 2.1 Machine learning and artificial intelligence 2 2 Process mining 2.2 2.3 Advanced analytics 3.1 3.1 Source: The Future Auditor Has Arrived, Protiviti, 2020 The audit director of a pharmaceutical company explained that while there had been a concerted effort to use enabling technology, especially for the ongoing monitoring required during the pandemic, change is not easy in an environment that relies on legacy technology. However, he has seen a lot of value in exploring process mining in particular, and advises it may be easier to make a business case for such technology than for extra headcount in the audit team. Having additional technology has also helped to enthuse individuals by helping to transform the way they work. Finally, attendees were asked to vote on subjects for forthcoming forums. The top three were: risk alignment and coverage; auditor of the future – skills/capabilities; and optimising the use of technology in the enablement of the audit function/audit delivery. [1] “Assess, assure and inform. Improving audit quality and effectiveness. Report of the independent review into the quality and effectiveness of audit” Sir Donald Brydon, December 2019. Leadership Mark Peters Mark is Managing Director in the London office in the UK. Mark leads the Internal Audit & Financial Advisory Practice in the UK. He has over 25 years of business, technology and operational risk consulting experience gained from serving a variety of companies ... Learn more