The Lost Year 2020: Focusing on the fundamentals for solutions DURING and POST-COVID-19.

How do you plan for a smooth re-opening and manage increased uncertainty?  

First, as the world continues to struggle and cope with the effects of COVID-19, we hope you and your team are doing well. With the increased possibility of a second wave, precautions to help protect the health and wellbeing of your staff, clients/customers, stakeholders, and your local communities remains a priority.

COVID-19 began as a health pandemic, quickly evolved to a global recession, and continues to create economic challenges disrupting businesses and cause financial hardship to households. While we all wait for an effective medical solution (vaccine and treatment), COVID-19 continues to impact your business—value chains, employees, stakeholders, and customers in different ways.

What remains hard to accept is the rapid pace of change—a reality that is not only difficult to understand, but equally tricky to admit, as we all make the best of 2020. As lockdown restrictions get relaxed and most states and nations struggle re-opening for business, you need to re-evaluate your value-chain, and find solutions to your current customer problems and challenges. It’s time to re-visit the fundamentals and plan for the future.

Eight Value-chain considerations as you plan to re-open



(1) Understand changing customer expectations and shifts in demand. 

a. How is COVID-19 affecting your customers and their supply chains – Volatility, Uncertainty, Complexity, and Ambiguity?

b. What trends have you seen, and how will these continue during and post-COVID-19?

c. What additional solutions can you provide to help your clients/customers during and post-COVID-19?

(2) Construct scenario plans and apply lessons learned (you can’t help your customers if your business is struggling).

a. Think of a “Best-Case” and “Worst-Case” scenario, and apply lessons learned to plan for the next 3 to 6 months. How should your business function during and post-COVID-19? 

b. What decisions must you make to manage cash and credit? 

         c. What cash flow challenges are you and your customers facing, and the impact on receivables?

d. What expenses must you re-negotiate?

(3) Manage uncertainty Few experts can predict an economic and fiscal solution to a health pandemic like COVID-19 unless there is an effective vaccine or treatment.  

a. What must you do to survive in uncertain times?

b. Re-evaluate your customer personas. How would you prioritize your ideal customers during and post-COVID-19?

c. What customers can you afford to lose, and what new customers should you target?

         d. What new skillsets will your team need to address current challenges?

         e. Where can you reduce headcount to save money without exposing your organization to new risk?

         f. What roles are critical towards providing essential services and address current challenges? 

(4) Prepare a contingent plan for your “worst-case” scenario.  

a. Increased economic and geopolitical uncertainties impact visibility and demand planning.  Assuming no revenue, how long can your business survive the next 6 to 12 months? 

b. Does it make sense to pivot into other areas? 

c. Your “best-case” scenario can’t be totally ignored either. Some businesses have struggled to manage unprecedented growth during COVID-19 due to a lack of planning.   

(5) Embrace technology.  Select the right technology and tools to support your employees and clients. 

a. How can you improve your digital presence to connect with and engage customers in ways they see as valuable? 

b. What new technology must you embrace and make it easy for current and new customers to work with you?

(6) Manage health and safety concerns. 

a. What health and safety controls must you implement and communicate to your employees and customers to address their concerns during and post-COVID-19?

b. What additional costs and resources will you need to address all health and safety concerns as your business re-opens?

(7) Stay on top of the changing regulatory and risk environments. 

a. What are the fundamental regulatory changes impacting your industry? 

b. What are some of the emerging and rapidly evolving risks you should be aware of during and post-COVID-19?

(8) Update your critical processes, policies, and procedures and train stakeholders.  

a. What changes must you make to your critical processes during and post-COVID-19 to continue delivering exceptional customer experiences?

b. How will you maintain processes, policies, and procedures and communicate the changes to stakeholders?

While these eight steps are not the totality of items management should consider, your internal audit department or an equivalent function, can provide valuable support to management, and insights in helping the organization create value.  However, adding or creating value is not enough.  As you make changes based on available data and other factors, think of ways your internal audit function should evolve and provide timely assurance, expertise in a consulting capacity, and insights to help your organization succeed.  By supporting management to achieve strategic goals and objectives, perform audits and reviews that matter, your internal audit team can quickly adapt and continue not only to add value, but to help management capture and sustain value over time.

Conclusion

“Get the fundamentals down, and the level of everything you do will rise.” Michael Jordan

The lockdown restrictions could be tightened if the number of COVID-19 infections continues to increase.  Your team can take appropriate steps to get the fundamentals right to ensure your business succeeds.  When our favorite athletes encounter difficulties, they often turn to the fundamentals. As your team struggles to cope and adjust to the COVID-19 challenges, some modifications to your strategy and fundamentals are essential to not only adapt, but to thrive during difficult times, and continue to meet your clients’/customers’ expectations. 

By re-evaluating your current end-to-end customer support process, your team will discover a way to make timely changes to continue providing value-added solutions during and post-COVID-19.  Modernized solutions and processes are needed to deliver exceptional customer experiences, increasing their willingness to pay for your products and services. 

Stay Safe!

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

Going back to fundamentals. Why re-evaluate your Current and Post-COVID-19 Strategy?

Why must you re-visit your business fundamentals now?

“You go back to fundamentals when things start to go awry.” Bill Cowher      

We have all seen our favorite athletes, entertainers, leaders, and teachers encounter and overcome challenges. In difficult times, they often turn to the fundamentals.  Your strategic plan is formulated on core business principles—or fundamentals.  As your teams struggle to adapt and cope with the disruptions from COVID-19, early emphasis between February and May 2020 was about surviving.  What immediate changes must management make to survive in uncertain times? 

As things settled, visibility on the impact such as loan defaults, canceled orders, increased refunds, etc., became apparent.  The new reality surrounding your business has changed. COVID-19 has fundamentally impacted your employees and customers in different ways. Now is the time to re-visit the fundamentals—your strategy to understand the following:

  • What went wrong? 
  • How where we blindsided? 
  • What must we do differently to plan and adapt to the new reality?

Unless, in extreme circumstances, COVID-19 did not and will not change your mission. The fundamentals—your business strategy needs to be evaluated.  How you continue executing your strategy should change to help your teams identify and resolve misalignments, plan, and adapt to the current and post-COVID-19 business environment.

How do you get there?

Going back to the fundamentals requires a simple view of your strategic planning, strategy-formulation, and strategy-execution as an ongoing process.  A designated and neutral Point of Contact should coordinate the re-evaluation process and provide support towards accomplishing the following:

  1. analyze the current environment and identify metrics, 
  2. facilitate collaboration with management and stakeholders and learn during strategy formulation, and 
  3. provide tools and support as needed for your management teams to execute the strategy during and post-COVID-19 and improve.

Mistakes to Avoid – Misalignment Misfortune

We’ve all heard the many clichéd ways to describe when multiple components are aligned in their goals or strategy: “We’re all in this together,” “we’re operating on the same wavelength,” “we’re rowing in the same direction.” And there are plenty more. Achieving alignment in a common goal is critical to the success of any group endeavor. Even one person marching to the beat of a different drummer can threaten the success of the entire group. This dynamic plays out in all facets of business activity.  We’ve seen countless examples of when a business unit impacts strategy execution due to different objectives, not in alignment with the enterprise goals.  

  • Such misalignments (strategic misalignments) probably existed across organizations pre-COVID-19.  
  • Strategic misalignments further complicate the ability to develop and implement a plan to respond in the short-term and long-term to the COVID-19 challenges and other future events.

This quote by Sun Tzu, author of the Art of War, captures the difficulty in achieving success without getting what we call in the modern age “buy-in” from all those involved in the endeavor: “Unhappy is the fate of one who tries to win his battles and succeed in his attacks without cultivating the spirit of enterprise; for the result is a waste of time and general stagnation.”  

  • Why does strategic misalignment exist and remain unresolved? 
  • What is the actual cost if not resolved over time?
  • How will this impact your ability to implement long-term sustainable changes to adapt to the new realities during and post-COVID-19?

There are eight reasons why strategic misalignment occurs and why management and internal auditors fail to resolve those imbalances when they do occur. They include:

  1. Lack of awareness – No one recognized the misalignment.
  2. Management is aware and can’t resolve – Lack of adequate processes and controls with oversight.
  3. Competing and conflicting priorities – Lack of sensitivity towards resource constraints (capacity).
  4. Inappropriate tone and corporate culture at the enterprise or business unit and departmental levels.
  5. Continuous Process Improvement (CPI) projects, internal audits, and reviews performed, are not aligned with strategic goals and objectives.
  6. Inability to identify and mitigate risks – This includes emerging risks and the rapid pace of evolving risks.
  7. Lack of visibility understanding the long-term compliance implications and added cost from regulatory fines.
  8. Inability to execute strategy and meet changing customers’ expectations.
Conclusion

These eight-steps can help your teams identify misalignments between enterprise strategy and business unit priorities, as you re-evaluate and develop a long-term plan to adjust to the new realities during and post-COVID-19.  Strategic misalignments should be identified and resolved as soon as possible to avoid long-term financial losses, reputational damage, and improve responsiveness to the changing business environment.  

Our next post will elaborate on how you can continue re-evaluating your fundamentals, especially in difficult times. The post will provide suggestions on what your teams should focus on as the lockdown restrictions get relaxed, and most states continue re-opening for business.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

Improve risk management and sustain strategy execution by focusing on reviews that matter

What type of reviews should your teams be performing during and post-COVID-19?

COVID-19 has created new realities and unprecedented challenges.  It has also impacted your stakeholders and control environment and how audits and reviews are performed.  The rapid pace of change accelerated the need for the following:

  • new solutions to your customer’s problems (adapt to changing consumer behaviors)
  • changes to the ways your staff perform their jobs (manage health and safety concerns), and 
  • modifications to your strategic goals and objectives (manage increased uncertainties and adapt to a rapidly changing business environment).

Performing audits and reviews that does not directly impact the accomplishment of your strategic goals and objectives adds limited value.  To create, capture, and sustain value, simplicity, flexibility, and agility is critical to the nature of audits and reviews performed.  This is the ideal way for an independent internal audit function to support management solve problems they see as necessary at the current moment, and vital to the long-term survival of your business.

How do you get there?

“Out of intense complexities, intense simplicities emerge.” Winston Churchill

Complexity is the enemy from within that must be avoided.  Begin by adopting a simple framework that provides an enterprise perspective on your resources, processes, technologies, and corporate culture.  These components impact the accomplishment of your strategic goals and improve performance across your value chains.  

Next, agree on your internal audit’s role in the value chain.  This requires understanding the organizations… 

  1. strategic direction and alignment (align with changing customer expectations during and post-COVID-19), 
  2. risk management and monitoring, 
  3. operational efficiencies, 
  4. quality and compliance, 
  5. financial management and governance, and 
  6. responsiveness: to help management create, capture, and sustain value while adapting to the changing business environment.

Ultimately, priorities vary between organizations. The six components of the internal audit value chain (IAVC) should be continuously evaluated during and post-COVID-19 to help management create value, capture value, and sustain value in the context of your organization’s strategic goals.  

To help your management teams focus limited resources planning and executing audits and reviews that matter, confirm your organization has processes in place to achieve the following: 

(a) Prevent misalignments between enterprise strategy and the business unit and departmental priorities.

(b) Identify, prioritize, and mitigate risks impacting the accomplishments of your strategic goals.  This should include emerging risks and the rapid pace of evolving risks such as the COVID-19 pandemic. 

(c) Assist management in capturing and sustaining value by pursuing efficiencies.  This should include initiatives to embrace new technologies to support your clients and employees during and post-COVID-19.

(d) Validate that quality and compliance are baked into the culture of the organization.  The fastest way to frustrate valuable clients in difficult times is to provide products and services they need below their quality expectations.

(e) Continuously add value by improving your financial management and governance and monitor progress.

(f) Creating value is not enough. Assist your teams in capturing and sustaining value by being responsive to internal and external factors timely.

Quick Wins

Evaluate your current capabilities by performing a high-level assessment to accomplish the following:

  1. A “current state” risk-assessment.  The output will provide your organization with an updated risk profile and scorecard that can be used to make decisions towards enhancing your strategic risk-management capabilities. 
  2. Provide insights identifying new and emerging risks impacting the accomplishments of your strategic goals and objectives during and post-COVID-19.
  3. Management can use the output from the risk assessments to evaluate, prioritize, and develop plans to mitigate critical risks—and perform audits and reviews that matter.

Perform a Comprehensive Strategic Risk Assessment

We define strategic risk assessment as a set of policies, procedures, processes, systems, and resources that provide oversight on how an organization identifies and mitigates risks adapting to its changing business environment.    

Benefits of performing a strategic risk assessment include:

  • It provides a simple, flexible, and agile framework that can be customized and used throughout your organization to identify, prioritize, and mitigate current and emerging risks impacting the accomplishment of strategic goals.
  • A guide to implementing an integrated approach to risk-taking, risk oversight, and risk assurance functions eliminating redundancies in work performed.
  • Enable timely and accurate reporting to the Board and Committee’s, Executives, and Stakeholders.
Conclusion

In difficult times, management must often re-visit your business fundamentals and the strategy to make timely changes to ensure the organization continues to add-value, capture, and sustain value. The disruptions from COVID-19, accelerated the need for sound business practices and decisions that are centered around the mission—solving problems customers see as valuable and increasing their willingness to pay for your products and services.  Our next post will elaborate on steps you can take to re-visit your fundamentals, especially in difficult times.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

Disable UPnP on Your Wireless Router Already

This post was originally published on this site

Forwarding ports on your router so devices can talk to the outside world is a pain in the butt, so it makes sense why a technology like UPnP sounds so convenient. This automatic process assumes that it’s safe to expose your network to the internet when internal programs request access—which is generally true, unless…

Read more…

Many Internal Audit Failures Stem from Misalignment with the Company Strategy

This is Part I – Strategic Direction and Alignment of a revised six-part series on the internal audit value chain (IAVC).

Misalignments between enterprise strategy and business unit priorities must be identified and resolved as soon as possible to avoid long-term financial losses, reputational damage, and improve responsiveness to the changing business environment. 

Initial publication – May 7, 2018. Updated – May 15, 2020.

W

e’ve all heard the many clichéd ways to describe when multiple components are aligned in their goals or strategy: “We’re all in this together,” “we’re on the same page,” “we are singing from the same hymnbook,” “we’re operating on the same wavelength,” “we’re in lockstep,” “we’re rowing in the same direction.” And there are plenty more. The reason there are so many clever ways to say the same thing is that achieving alignment in a common goal is critical to the success of any group endeavor. Even one person marching to the beat of a different drummer can threaten the success of the entire group. This dynamic plays out in all facets of business activity, and we’ve seen countless examples of when a person or group causes problems when they have different objectives or are not in alignment with the larger group.

One area where this is all too common is in misalignment between the enterprise strategy and functional business units, operations, departments, or line-of-business (LOB) priorities. I would argue that it is this misalignment that is at the root of many recent corporate blunders that have resulted in costly and embarrassing public scandals and reputational damage. It is also possible that unresolved strategic misalignments over time created significant losses for many organizations impacted by the unprecedented COVID-19 pandemic.  When an internal audit or other assurance functions and business units have different or misaligned approaches to executing the strategy, disaster is often not far behind.  Strategic misalignments further complicate any organization’s ability to develop and implement a plan to respond in the short-term and long-term to the current COVID-19 challenges and other future events.

Over a six-part series on Internal Audit 360° and the Institute of Internal Auditors (IIA) Magazine publications, I outlined details about each component of the Internal Audit Value Chain. These are six links that, when all appropriately executed and working together, can elevate internal audit and provide excellent value to the organization.  They can act as a blueprint for building a successful and robust internal audit function to assist management teams across business units to not only “create value” but to successfully “capture value” and “sustain value.”

The first link in the Internal Audit Value Chain (IAVC) is strategic alignment.  Keep in mind that these priorities are different for each organization, are not static, and vary as objectives and needs evolve.

The Internal Audit Value Chain (IAVC)

The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Alignment on the strategic direction
  2. Risk management and monitoring
  3. Operational effectiveness to include Continuous Process Improvement (CPI)
  4. Compliance and quality
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.
Misalignment Misfortune

The first link in the Internal Audit Value Chain, alignment on strategic direction, is crucial to building a value-oriented internal audit department and requires strong leadership from the top of the organization. On the other hand, strategic misalignment is a recipe for disaster. It negatively impacts the organization’s ability to plan and execute its strategy – the inability to “create value.” It also results in losses – the failure to “capture value” and “sustain value,” and potential fraud, waste, and abuse.

There have been several reported corporate scandals. Examples include poorly managed vendor relationships—where third parties improperly gained access to the data of millions of users—due to misalignment between (1) business functions motivated to maximize revenue, with (2) partners and the assurance functions that are charged with protecting the organization from violating the trust of customers and members. Policies and standards are often designed to provide protection.  However, these can be easily circumvented when strategic misalignments are not identified and resolved timely.

I define strategic alignment as in-depth knowledge and application of the organization’s strategic direction, and agreement on its validity, by all the primary and secondary business functions. A misalignment occurs due to a lack of awareness or misapplication in executing the strategy by various departments or business functions.

This quote by Sun Tzu, author of the Art of War, captures the difficulty in achieving success without getting what we call in the modern age “buy-in” from all those involved in the endeavor: “Unhappy is the fate of one who tries to win his battles and succeed in his attacks without cultivating the spirit of enterprise; for the result is a waste of time and general stagnation.”

  • Why does strategic misalignment exist and remain unresolved for many public and private sector organizations, government institutions, and not-for-profit organizations?
  • What is the actual cost if not resolved over time?

The costs can be very high, as we have seen from the recent panic and rush across the globe to cope with the unprecedented COVID-19 pandemic.  We have also seen the struggles from major corporations like Facebook with the Cambridge Analytica scandal – 2018. Misalignment festered in the 2016 problems reported by Wells Fargo when employees opened accounts without the permission of customers, and many other examples too numerous to recount.

Eight Causes of Misalignment

There are eight primary reasons why strategic misalignment occurs and why management and internal auditors fail to resolve those imbalances when they do occur. They include:

1) LACK OF AWARENESS: Executive management, board and committees, and internal audit missed the boat. No one within the organization recognized the misalignment between the enterprise strategy and specific departmental goals. One problem here is that the overall strategic goals may be poorly communicated throughout the organization. What steps should management implement to prevent this from happening? Suggested actions include but are not limited to the following:

  • Evaluate existing policies and procedures and validate they remain relevant and updated to align with the enterprise goals and objectives.
  • Develop adequate metrics and key performance indicators – you cannot manage what you cannot measure.

If strategic misalignments exist and remain unresolved, how is it possible for internal audit to help management to create value, capture value, and sustain value?  Internal audit should collaborate with management as needed to prioritize issues and CPI projects that impact strategy and perform deep dives via audits and reviews that matter!

2) MANAGEMENT IS AWARE AND CAN’T RESOLVE PROBLEM: If management is aware of the misalignment, do they have adequate processes and controls with oversight to resolve those disconnects?  Remember, adequate processes and controls alone will not sufficiently solve the problem. Some reasons management may be aware of the problem but cannot fix it include weak leadership, rogue managers in critical positions, weak corporate culture, lack of an integrated CPI program, and poor communication between senior executives and business unit leads or functional managers.

3) COMPETING/CONFLICTING PRIORITIES: Let’s assume management has a refined approach to resolve issues. Without the proper emphasis and sensitivity towards resource constraints (capacity), the business unit and functional leaders will simply evaluate requests for corrective actions in the context of other competing priorities. This minimizes the effectiveness of resolving strategic misalignments throughout the organization.  It also compounds the problems, impacting the ability of the organization to respond to unprecedented challenges like COVID-19.

4) INAPPROPRIATE TONE AND CULTURE:  With the proper tone, the issues articulated in causes #1 to #3 could not have occurred, or will result in minimal impact to the organization.  If every business function or segment is not operating on the same wavelength, how could the organization accurately identify emerging and evolving risks, develop mitigation strategies (perform audits and reviews that matter), and effectively respond to disasters like COVID-19?

5) CONTINUOUS PROCESS IMPROVEMENT (CPI) PROJECTS ARE NOT ALIGNED WITH STRATEGIC GOALS: The quote from management sage Peter Drucker— “There is nothing so useless as doing efficiently that which should not be done at all,” highlights the challenges identifying and addressing strategic misalignments. It also eludes to why management and internal auditors fail to resolve those imbalances when they do occur.  Investments in CPI projects that are not linked to strategic goals and objectives create limited value to the organization.  Over time, management will identify and probably resolve symptoms from causes #1 to #4, such as missed delivery deadlines, poor service or product quality, and product recall, increased costs, loss of market share, customer complaints, employee turnover, lack of innovation, and other problems. Whatever losses that can be quantified at this stage are minimal when compared with the compliance and regulatory issues alongside sustained reputation damage.

6) INABILITY TO IDENTIFY AND MITIGATE RISKS: Managing high-level strategic risks (and achieving alignment on them) is impossible if they can’t be identified. This includes the organization’s ability to identify and prioritize emerging risks. Misalignment from enterprise strategy and business unit priorities at Wells Fargo resulted in adverse publicity over two to three years that began in 2016. It took a firm commitment from the bank’s leadership over multiple years to resolve. To cross-sell services, the bank failed to identify and mitigate risks from opening accounts without the customer’s permission.

The supply chain and other disruptions from COVID-19 raised questions about the effectiveness of existing risk management frameworks and mitigation efforts. An internal audit value chain analysis could have identified red flags and escalated findings to executives and the board timely.

  • What can internal audit learn from COVID-19 to be prepared for future crises and disruptions?
  • How could internal audit demonstrate its end-to-end value creation, value capture, and value sustainment capabilities?

7) COMPLIANCE IMPLICATIONS PLUS ADDED COSTS:  When executives must testify to Congress, the next logical expectation is increased regulatory pressures. This is often a significant cost that can’t be adequately quantified in the short term.  A combination of regulatory fines and seizure, class-action-law suits, and loss of major customers can accelerate the demise of the most profitable organization. Governments around the world have provided substantial financial support to bail out small and large businesses struggling to respond to COVID-19. Receiving bailouts from the government comes at a price.  This often results in increased regulatory scrutiny to apply lessons learned and prevent re-occurrence.

8) INABILITY TO EXECUTE MISSION AND MEET CUSTOMERS EXPECTATIONS: For any business and government institution, the ability to execute the mission and keep customers happy requires an alignment between the enterprise strategy and business unit priorities. Skilled employees working as part of cross-functional and collaborative teams focused on the mission and customer is imperative. The supply chain disruptions and other unprecedented effects of COVID-19 impacts how most organizations, including government institutions, execute their missions, and meet customers’ expectations. Unfortunately, many have struggled and will continue to struggle post-COVID-19.  The ability to adapt and respond quickly will impact customers’ decisions.  They can simply reject a brand or minimize how they use a product or service.

Conclusion

“Internal Audit touches all the primary activities in the value chain, and, in addition, can streamline support activities through compliance audits and process evaluations,” writes Emily Ray in her paper, “How Modern Internal Auditing Assists Organizations in Achieving Strategic Objectives.”

To arrive at this conclusion, Ray adapted Michael Porter’s generic value chain model from his competitive analysis showing the primary and secondary value creation activities of an organization.

Internal auditors must think in the context of the Internal Audit Value Chain and the steps required to maintain that “value creation” objective as a starting point. Steps must also be taken by internal audit to help their management teams to “capture value” and “sustain value” for their respective organizations. This requires an end-to-end value chain mindset.  Misalignments between enterprise strategy and business unit priorities must be identified and resolved as soon as possible to avoid long-term financial losses, reputational damage, and improve responsiveness to the changing business environment.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

Eight Steps Internal Audit Should Take to Aid Risk Management

This is Part II – Risk Management and Monitoring of a revised six-part series on the internal audit value chain (IAVC).

“According to the IIA, Internal audit can serve as a disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks, while factoring the rapid pace of evolving risks.” 

Initial publication – June 27, 2018. Updated – May 15, 2020.

W

henever it comes to talking about internal audit’s role in risk management, things always get a little dicey.  Everyone agrees that internal audit has a vital part to play in risk management, but just where to draw the line is still a controversial topic.  Some think internal audit should play a lead role in risk management, setting the risk management agenda, provide assurance, insights, and advice to management on risk issues while collaborating in a consulting capacity to help the organization achieve objectives. Others take a more purist position, stating that internal audit should only be there to audit the risk management function.

It’s not surprising. There are widely divergent views on the job of internal audit in general. As an internal auditor, I often ask clients and stakeholders what they believe to be my role. The answers tend to vary widely depending on the maturity level of the client’s internal controls environment. Some see internal audit mainly as the function in charge of the Sarbanes-Oxley (SOX), and the Office of Management and Budget (OMB) compliance, while others say that it is to uncover fraud or malfeasance. The one standard reply, however, that internal auditors are the “controls experts,” rarely changes. I wonder what responses these clients and stakeholders will provide as answers to the same question post-COVID-19.

That makes me ponder. Where did I fail in educating clients and stakeholders about internal audit’s roles and objectives?

If stakeholders have a narrow and incorrect idea of the problems we solve as internal auditors, what are we doing collectively to change that perception?

This well-known quote by psychologist Abraham Maslow illustrates how easy it can be to incorrectly define a problem: “If the only tool you have is a hammer, then every problem looks like a nail.” If stakeholders view internal auditors as only “control experts,” then I can correctly rephrase Maslow’s quote to say: “If our only tools as internal auditors are controls, then every problem looks like a potential risk.”

If we want to think more broadly and entirely about the role of internal audit in risk management, we need to think beyond controls. The unprecedented impact from COVID-19 emphasizes the need for internal audit to view problems as potential risks (emerging and evolving risks) and think beyond controls.  Internal audit must proceed with caution.  Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management. In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.

  • Understanding your organization’s strategic objectives is a starting point.
  • Providing support for management to identify and mitigate risks that impact the accomplishment of your organization’s strategic goals and objectives is the next logical step.
  • This is the first step towards performing audits and reviews that matter.

So then, what tools are required for the modern internal audit function to assist management and the Board of Directors navigate the volatile and complex risk environment to create value?

In Part – 1 of the Internal Audit Value Chain (IAVC) – “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I provided justifications for internal auditors to think in the context of a “value chain” and the steps required to maintain that “value creation” objective as a starting point. Creating value is not enough.  Steps must also be taken by internal audit to help their management teams to “capture value” and “sustain value” for the organization. This requires an End-to-End (E2E) internal audit value chain mindset. 

The internal audit risk management toolbox should include the following to support management, and your organization to succeed without compromising its independence:
• The identification of risks (include emerging risks and factor the pace of rapidly evolving risks)
• The prioritization of risks (avoid being blindsided from risks exposed by pandemics like COVID-19)
• The evaluation of the underlying processes, systems, and management’s capabilities to manage risks
• The design and implementation of internal controls to mitigate risks (especially strategic risks)
• The continuous monitoring and evaluation of controls to determine their effectiveness in mitigating risks

These are essential ways we can create value as internal auditors and help our management teams to capture the value and sustain value. This is how clients and stakeholders should define our roles as “control experts.”

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

It’s essential to keep in mind that these priorities are not static and vary as enterprise objectives and needs evolve. In this article, Part two, we are looking, as you have now guessed, at risk management and monitoring.

In the Institute of Internal Auditors’ Internal Auditor publication, “Optimizing Internal Audit,” I defined risk assessments as they relate to ongoing organizational activities to include: an understanding of internal audit priorities that drive annual audit plans and information obtained and evaluated by internal auditors from continuously interacting with stakeholders. Internal auditors simply must have a strong understanding of the macro and micro risks and emerging risks impacting their respective organizations.
Eight Steps to Navigate Volatile Risk Environments

There are eight primary steps internal audit teams can take in collaboration with stakeholders to identify and mitigate emerging and evolving risks that could have a significant impact on their organizations if ignored. They include:

1) THREE LINES OF DEFENSE COLLABORATION: There are many adaptations of the three lines-of-defense (LOD) approach to involve business lines, risk management, and compliance and audit team collaboration in identifying and managing risks. KPMG provided an excellent example of collaboration in a white-paper by Doron Telem titled “The Three Lines of Defense: Making the Transition to a Mature Risk Management Model.” In the paper, Telem asserts that such collaboration, “could entail workshops with management, as well as some external expertise and interviews (including with non-management individuals) to ensure as many issues as possible have been considered.”

I prefer consulting the IIA position paper: “Three Lines of Defense in Effective Risks Management and Control” as the base-line. The IIA paper acknowledges the unique factors impacting every organization that must be considered in coordinating the three LOD duties and the underlying role of each group in the risk management process.

For a recap of the three LOD:
• The first LOD consists of department managers who are the owners of risks.
• The second LOD consists of risk management, control management, and compliance professionals with limited independence identifying and mitigating risks.
• The third LOD consists of risks assurance professionals with greater independence, such as internal audit reporting to the audit committee or other governing body.

Before assigning any Manager as a “risk owner,” steps must be taken to validate that a risk owner has the technical skills to understand the dynamic nature of the risks assigned to them. If a Manager began as a bank teller say 30 years ago, for example, and excelled through promotions into leadership positions, assigning key risks to such a Manager without evaluating his or her skills in the context of the current operating environment would be significantly risky. The threats to banking have evolved a great deal during the past 30 years.

The IIA paper concludes that all three-lines should exist in some form at every organization, regardless of size or complexity. A modified version of this framework is needed to include lessons learned from COVID-19 for any organization, including government agencies and institutions, to identify and mitigate risks effectively.

2) EFFECTIVE RISK MANAGEMENT METHODOLOGY:  According to the IIA’s 2018 North American Pulse of Internal Audit report, Chief Audit Executives (CAEs) need to position internal audit to be an internal disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks.  According to the IIA’s 2019 report, “over the past decade, the speed at which risks emerge and evolve has accelerated dramatically, compelling organizations to adopt new strategies and reorder priorities to survive and thrive in an increasingly complex risk environment.”

An objective methodology should be used to evaluate and prioritize risks in the context of the organization’s strategic direction. The process should be simple, ongoing, and provide flexibility and agility to make timely changes as new information becomes available. A comprehensive risk assessment methodology should include mitigation strategies in the context of the organization’s resources, culture, processes, technology, and risk tolerance.

Can internal audit adopt a simple risk management framework that provides flexibility to address emerging and evolving risks and the agility to adapt to the changing business environment?  Complexity is the enemy.

To demonstrate its end-to-end value creation, value capture, and value sustainment capabilities, internal audit must focus on simplicity and sustainability. Internal audit can’t provide complex solutions towards addressing complex risk management challenges that are emerging and evolving at an accelerated pace.

3) ESTABLISH CLEAR ROLES AND AUTHORITY:  How much authority does the Operational Risk Management (ORM) function and the Chief Risk Officer (CRO) have in influencing critical decisions at your organization?  For big organizations, ORM is a highly specialized function requiring complex data analysis and modeling skills with the responsibility to identify and monitor risk exposures against tolerance levels.

Executives, committees, and business unit managers making key decisions might not view risks through the same lens as ORM experts. Could there be instances when ORM predicted an incident but lacked the authority to mitigate the risks? It happens all the time.

Small organizations do not need formalized ORM and CRO functions.  However, there must be an independent process with adequate oversight responsibilities to identify and prioritize risks and address challenges related to emerging and rapidly evolving risks.  Any disconnect between ORM or risk management oversight teams’ conclusions and management decisions create challenges for an independent function such as internal audit.

4) CONTINUOUS MONITORING AND ASSESSMENTS:  I have always wondered why the concept of continuous auditing and monitoring is frequently discussed by internal audit practitioners but not often implemented. Plenty of literature exists on this topic. A Deloitte white-paper, “Continuous Monitoring and Continuous Auditing: From Idea to Implantation,” for example, covers this topic in great detail. The paper provides two critical explanations as to why few organizations implement continuous monitoring and auditing.

  • First, management has not seen a clear, strong business case for establishing either continuous monitoring or continuous auditing in their organizations.
  • Second, management lacks a clear picture of how continuous monitoring and auditing would be implemented.

Internal audit should develop a strong business case and provide a clear picture for management to decide on continuous monitoring and auditing.  Given the increasing threats and dynamic nature of risks confronting many organizations, an inflexible or static “annual audit plan and risk management” approach will not provide the responsiveness needed for internal audit to change course, and help management identify and mitigate risks (including emerging risk and rapidly evolving risks) quickly.  Did the organizations that implemented continuous monitoring and auditing respond and adapt better to the COVID-19 challenges? My instinctive answer is, yes.

5) TEST HIGH-RISK CONTROLS, PROCESSES, AND FUNCTIONS: Performing audits and reviews that matter is a critical value-creation step for internal audit.  If it does not impact strategy, does it matter? My instinctive answer here is no.

If the cost of implementing a given control should not exceed the benefits of that control, then some element of prioritization is needed to determine which controls to test and when. Internal controls that mitigate key risks to the organization across various business functions are the logical places to start. Management and internal audit can use other subjective factors to include operational or compliance needs and determine other areas to perform Test-of-Design (TOD) and Test-of-Operating Effectiveness (TOE).

Using limited resources to perform extensive TOD and TOE without a focused approach on risks and strategy implications is not ideal. With adequate planning and emphasis, performing TOD and TOE remain critical tools for internal audit to use in navigating volatile risks environments. Findings from controls testing, or Continuous Process Improvement (CPI) projects create value if recommendations are provided timely, and appropriately documented in a way management can understand. This speeds up corrective actions enabling management to make critical decisions to “capture value” and “sustain value.”

6) CONSENSUS ON FINDINGS AND RECOMMENDATIONS:  For any collaboration to be expected from management, and executive leadership, internal audit should have obtained their blessing on which areas to review as part of annual or periodic audit planning. Perform audits and reviews that matter.  For the three-lines-of defense to function appropriately, stakeholders—including ORM and CRO—must collaborate extensively during the audit planning, execution, reporting, and remediation phases. Without this level of participation, internal audit will run into several roadblocks along the way to navigating volatile risks environments. The interpersonal, problem solving, communication, and technical skills of the internal audit team are the foundations of any effort to obtain consensus on findings and recommendations.

7) FOSTER A POSITIVE CORPORATE CULTURE AND TONE: Quantifying and qualifying the impact of failures of culture and tone, if not adequately addressed, are near impossible in the long term. Consistent shortcomings stemming from the poor tone, sub-culture clashes across different functions within an organization, lack of skills to identify and mitigate key risks, and inability to implement continuous monitoring and adequate oversight are a few examples that could expose an organization to significant risks and losses.

Internal audit will see these dynamics at varying levels while executing our missions. Failures to accept the reality and risks associated with these problems can be directly linked with the inability of the internal audit function to navigate volatile risks environments to create value, capture value, and sustain value.

8) EXCESSIVE RISK-TAKING: There are no easy solutions for regulators to effectively enforce regulations across industries to protect consumers and create desired outcomes. Regulators are often behind the times or allow loopholes—often temporary—in the enforcement of regulations.  Management will often use these loopholes, or the “everyone is doing it” rationale to justify excessive risk-taking. Internal audit must understand external factors and loopholes used by management to obscure the true risk landscape and implement adequate processes to identify and mitigate risks.


Conclusion

While these eight steps are not the totality of internal audit’s role in helping the organization identify and manage risk, they provide a reliable roadmap for internal audit to navigate the volatile and complex risk environment and create value for the organization along the way.

Executives and managers should empower risk management and internal audit teams to help quickly identify risks, prioritize risks, evaluate the underlying process and systems related to risk management, and assess the design and implementation of internal controls to mitigate risks. Significant risks must be identified, and mitigation strategies and controls implemented promptly to avoid financial losses and reputational damage.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

How Internal Audit Can Add Value by Pursuing Efficiencies

This is Part III – Operational Efficiencies of a revised six-part series on the internal audit value chain (IAVC).

Management should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive operational efficiencies.

Initial publication – September 23, 2018. Updated – May 15, 2020.

T

here are few efforts company leaders love more than a little old-fashioned belt-tightening.  Well-run companies are on a constant campaign to trim the fat, cut out the deadwood, streamline operations, and get things humming along at a smoother pace. The textbook version of this concept is called “achieving operational efficiencies.” Like most initiatives worth pursuing, there is a significant role for internal audit to play in helping the organization achieve a leaner, meaner, and better version of itself.  In fact, what corporate function is more equipped to weed out operational inefficiency than internal audit? Let me provide a few reasons.

  • Internal auditors have the skills to expertly assess processes,
  • The knowledge of the business functions and operations to understand how things fit together,
  • The proficiency in analyzing big data, and utilizing a risk-focused approach to audit what matters,
  • The distance and independence to evaluate problems with an open mind, and
  • The discipline to make recommendations in a thoughtful, organized way.

Here’s another benefit that internal audit brings to the efficiency table: Trimming the fat can occasionally cut into the bone, removing layers of needed redundancy or oversight.  However, internal auditors, with their expertise in controls and risk management, are better equipped than most to ensure that the pursuit of operational efficiency doesn’t leave a company exposed to potential fraud and abuse, or too thin to adapt and respond to the changing environment or take advantage of opportunities.

The unprecedented challenges from COVID-19 disrupted businesses globally across every sector as of February 2020. Some organizations have responded to the difficulties relatively well, while others continue to struggle. Why?  The efficient use of resources and technology provides management with the flexibility to pivot and the agility to quickly reallocate resources to respond to the pandemic efficiently.  Such organizations typically have well managed  Continuous Process Improvement (CPI) projects, enhanced processes, and lean operations. An essential function of internal audit is to foster improved organizational processes and operations. Reviews are performed in line with the applicable Institute of Internal Auditors (IIA) standards to evaluate the effectiveness and efficiency of operations and programs.

There is no other independent and qualified function within an organization to provide an objective opinion of an efficient or inefficient operation and promote continuous improvement than internal audit. This continues to be part of the “new normal” since the disruptions and challenges from the COVID-19 pandemic.

The push to do more with less is driven by expectations from customers for increased product and service quality and reliability and at competitive rates and reduced costs. In the long-term, customers will not care how a pandemic like COVID-19 impacts an organization. Internal audit teams simply must do their part—in helping management create value, capture value, and sustain value to achieve goals through operational efficiencies.

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

It’s essential to keep in mind that these priorities are not static and vary as enterprise objectives and needs evolve.  This installment, part three, addresses, as you have now guessed, operational efficiencies as a critical means for internal audit to create and sustain value by helping management implement efficient processes. They do this by

  • standardizing certain tasks,
  • reducing complexity,
  • eliminating none-value add steps, and avoiding unnecessary duplication of efforts,
  • defining business requirements, managing CPI projects, and
  • selecting and implementing the right technologies.
Technology Implications

Indeed, technology is a frequently used tool to drive operational efficiencies. Process automation software, Robotic Process Automation (RPA) initiatives, and other applications, for example, are often used by big and small businesses globally. These products facilitate business communications, management of projects, and various initiatives effectively and efficiently. Yet automation is not always a silver bullet for increasing efficiency.

I often consider this quote by Bill Gates when discussing operational efficiencies with clients: The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency.” The best part of the quote follows: “The second is that automation applied to an inefficient operation will magnify the inefficiency.”

Internal audit plays a critical role across all line-of-business (LOB) functions to help management magnify the impact of efficient operations—those that support the company meet customer’s needs, reduce costs, and increase profitability—and minimize the effects of inefficient operations—those that are poorly designed, needlessly increase complexity, hinder decision making, and obscure performance. Such inefficient operations can be compounded by inappropriate use of technology, resulting in significant cost and the inability to respond to a pandemic like COVID-19. Technological inefficiencies can result in fraud, waste, and abuse.

If internal audit is creating value by auditing what matters, then the right technology or technologies must be adopted—driven by the nature of problems we are assisting management in solving.  Technologies are not selected and approved strictly from an internal audit perspective, such as the tools to plan, execute, and report on various audits and reviews. Such a selection approach means so little to the functional managers we support.  The right technology should focus on the following:

  • What type of information does internal audit need from the business to review and add value?
  • What is the best technology to obtain, evaluate, and analyze this information?
  • What output could internal audit provide from using this technology?
  • How will the output help management to create value, capture value, and sustain value?
  • What trends does internal audit see from analyzing data and highlight issues to facilitate meaningful conversations with management?
  • How could the output from internal audit help management and internal audit gain insights to effectively resolve critical problems and perform deep dives to review what matters to management?
  • What should internal audit and management do differently DURING and post-COVID-19?
Eight Steps to Drive Operational Efficiencies


In the article, “Optimizing Internal Audit” from the IIA’s Internal Auditor publication, I highlighted that internal auditors, armed with knowledge about the organization’s strategic direction and overall risks, can apply basic operational audit principles to drive results. Recommendations for cost-effective and sustainable solutions that reflect the context of the industry and issues unique to the organization (customer needs and mission-critical activities) should be foremost areas to drive operational efficiencies. Internal auditors should perform reviews to determine the required training and skills across functional areas and assess the use of optimal processes and technologies to achieve and sustain operational efficiencies.

There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders to help management create, capture, and sustain value through operational efficiencies. They include:

1) PRIORITIZE CUSTOMER NEEDS AND EXPECTATIONS:  Finding and retaining customers is the lifeblood of any organization.  Internal audit reviews to evaluate the effectiveness and efficiency of operations and programs should begin with how the organization meets and exceeds customers’ needs and expectations effectively and efficiently.   Some factors to consider include but not limited to, the following:

  • What known and emerging risks could significantly impact the organization’s ability to meet and exceed customers’ expectations?
  • What trends or data, and tools can internal audit use to evaluate the pace of emerging and evolving risks and how that impacts the organization from meeting changing customer expectations?
  • How could the organization provide quality products or services during a disaster when operations are impacted at one location or multiple locations?

Other essential factors in evaluating the effectiveness and efficiency of operations include, but is not limited to, the following activities:

  • product and service quality and reliability, including quality controls,
  • product and service mix and pricing, and
  • responsiveness to customer complaints, product recalls, and service interruptions,

These are examples of mission-critical activities with significant risks and costs to the organization if not managed properly and should be at the top of the list of internal audit operational review priorities.

2) EVALUATE AND IMPROVE HUMAN CAPITAL REQUIREMENTS: If keeping customers happy is the top priority, then finding and retaining qualified employees is critical to achieving that goal. How an organization recruits, selects and retains employees is central to the success of its operations and its ability to create value, capture, and sustain value with limited resources.  An understanding of the enterprise-wide hiring and retention processes in the context of organizational goals and strategies is vital for internal auditors to evaluate operational effectiveness. This includes assessments to determine if current tasks can be performed better, faster, and cheaper without compromising customer and public expectations, cost, quality, and regulatory requirements.

Such reviews provide internal audit with visibility to staff and management skills (including strengths, weaknesses, and gaps) throughout the organization.

Internal audit independence should never be compromised by performing core management activities. Internal audit can, however, leverage enterprise knowledge to provide management with recommendations to improve resource strategy by evaluating critical skill requirements of the organization such as (a) how it finds qualified employees and managers to fill needs, and (b) how to get the highest-quality work by providing the right incentives, work environment, and tools to meet the organization’s objectives.

Investment in a skilled workforce that can function within the dynamic nature of the organization’s business environment and maintain lean operations is critical.  Factors to consider include but not limited to, the following:

  • Does the existing policies and procedures provide clarity and guidance on how staff and contractors can work-onsite and offsite?
  • Have these policies and procedures been updated to guide remote work teams during COVID-19?
  • What challenges emerge when staff trained to work on-site to process transactions, and retain evidence, who must now access critical data remotely, to handle the same transactions offsite and maintain evidence digitally?
  • How could such a sudden transition impact current and future audits, reviews, and examinations?

3) CONTINUOUSLY IDENTIFY AND MITIGATE EVOLVING RISKS: Three core risks can impact operations:

  • Risks to customers – internal and external factors that could prevent the organization from meeting customers’ needs and expectations.
  • Risks to employees and stakeholders – internal and external factors that could radically change how cross-functional teams collaborate to deliver products and services within cost and quality parameters.
  • Risks to organizational continuity – internal and external factors impacting operations across multiple locations, and the organizations ability to quickly adapt and respond to those challenges.

Note:  Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management.  In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.    

It is important to note emerging risks associated with these three categories, and how current risks evolve, and the pace at which these risks evolve.  Internal audit must also understand the potential conflicts that can arise across business functions and operations when mitigating risks. Internal audit must understand the evolving regulatory landscape that could impact operations and provide guidance for management to implement adequate steps to prevent the following:

  • Regulatory violations that could result in fines,
  • Enforcement disruptions,
  • Unplanned disruptions from natural disasters and pandemics like COVID-19,
  • Reputational damage, and
  • Class action lawsuits.

4) PROVIDE A PLATFORM TO EXECUTE CONSISTENTLY AND DELIVER SUSTAINED PROFITABILITY: Designing and implementing efficient processes, systems, and tools is a challenge for many organizations. Training employees and documenting policies and procedures to guide consistent execution is another challenge. Internal audit can help functional managers re-engineer critical business processes to eliminate fraud, waste, and abuse and deliver improved financial performance. Examples of such initiatives include those that focus on:

  • Continuous Process Improvement (CPI),
  • improving inventory management,
  • reducing cycle times,
  • increasing speed and accuracy of transaction processing, and
  • minimizing human intervention by automating efficient operations.

They also include asset management reviews, information technology assessments, and reviews to reduce product defects and improve quality controls. Such activities have the benefits of enhancing the organization’s ability to respond to an unprecedented pandemic like COVID-19, minimize customer complaints, improve productivity, reduce cost, and increase profitability.

5) ACHIEVE AND SUSTAIN MARKET DOMINANCE: How well an organization executes its strategy impacts how quickly it can achieve and sustain market dominance. To create value, internal audit must identify and resolve strategic misalignment problems timely (IAVC Part I – Strategic Alignment). That is the first step for internal audit to create value, and continue to help management capture and sustain value by assisting with the following: respond to customer needs and expectations, productively engage employees, manage risks, address shareholder requests, and improve profitability. For government institutions, internal audit should play a role to assist management with the stewardship and accountability of taxpayer resources.  Internal audit can help the organization maintain market dominance by fostering an environment of continuous innovation.

I must stress internal audit independence should never be compromised by performing management tasks. Internal audit can, however, assist management in achieving market dominance through operational efficiencies without compromising its independence.

6) CHALLENGE THE STATUS QUO AND CONTINUOUSLY INNOVATE: Achieving operational efficiencies throughout an organization is not a static goal. Many organizations have achieved operational efficiencies that resulted in market dominance and significant profits over the short term but eventually failed over time. Some profitable organizations might not recover from the COVID-19 disruptions.  That is because they became unsuccessful at innovating or adapting to the changing environment after an initial success. Internal audit frequently interacts with stakeholders throughout the organization. It has the expertise to help management challenge the status quo through Continuous Process Improvement (CPI), and adapt by fostering innovation and achieving sustainable growth critical to the long-term survival of the organization.

According to the PwC 2018 State of the Internal Audit Profession Study: Moving at the Speed of Innovation, internal auditors can serve in this valuable capacity only if they themselves are innovating. Internal audit must acquire new skills to perform operational effectiveness reviews and test controls mitigating risks related to new technology implementation and technology-driven processes.

Without innovation, internal audit might fail at creating value for the organization, and unable to help management capture and sustain value through operational efficiencies.

7) CREATE A CULTURE OF EFFICIENCY AND CONTINUOUS IMPROVEMENT: Culture cuts across every aspect of the organization. Internal audit plays a critical role to identify and help stakeholders implement aspects of corporate culture that are conducive to continuous monitoring, provide guidance to develop a culture of problem solvers, and achieve operational efficiencies. A corporate culture that encourages shared successes provides the right incentives as teams continuously adapt to customer needs and expectations. It speeds the process to evaluate evolving risks and changing regulatory environments—critical steps towards achieving and sustaining operational efficiencies.

8) MONITOR PROGRESS:  Using the right Key Performance Indicators (KPIs) and Metrics and close attention to the Key Risk Indicators (KRIs) are vital tools for management and internal audit to evaluate progress.   Data collected and analyzed over time, provide early alerts to areas impacting strategic goals. Internal audit can use this data (KPIs, Metrics, and KRIs) to perform deep dives (plan and execute audits and reviews that matter) to understand the root causes of operational inefficiencies, and provide recommendations for management to monitor performance and make timely adjustments.

The New Normal

While these eight steps are not the totality of internal audit’s role in helping the organization achieve and sustain operational efficiencies, they provide a reliable roadmap for internal audit to collaborate with management—without compromising its independence—and create value, capture and sustain value for the organization along the way.

The reality of coping with the “new normal–doing more with less” existed pre-COVID-19 and will remain the same post-COVID-19.  That means internal audit must do more to help management without compromising its independence address the fundamental features of the organization, such as customer service, human capital, strategy alignment, risk management, and periodically review the effectiveness of Continuous Process Improvement (CPI) initiatives.  These are value-added steps rather than just focusing on the traditional, financial-based internal audit tasks. Executives and managers should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive and sustain operational efficiencies.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.