This is Part VI – Responsiveness to the changing Environment of a revised six-part series on the internal audit value chain (IAVC).
Responsiveness and adaptability require agility, excellent communication, and collaboration between the modern internal audit department and functional managers. How well an organization anticipates and reacts to the changing business environment is critical towards success.
We now know the importance of multiple components aligned in their goals or strategy. And we also know that achieving alignment in a common goal is critical to the success of any endeavor. Everyone agrees that internal audit has a vital part to play in risk management, but just where to draw the line is still a controversial topic. And, like most initiatives worth pursuing, there is a significant role for internal audit to play in helping the organization achieve a leaner, meaner, and better version of itself.
The emphasis on product and service quality is even more critical now as organizations across the globe with support from internal audit scramble to respond and adapt to the unprecedented disruptions from COVID-19. We also have a better understanding of the myths about internal audit—and agree that improving financial management and governance is as important as it has ever been. Initiatives to improve financial management remains essential, considering the rapidly changing roles of the CFO function.
The above paragraphs communicate the importance of internal audit and the challenges it faces towards creating value. You might have to reread these paragraphs to understand the missing and the most critical link, responsiveness.
Internal audit can maintain its independence, enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight; while collaborating with management teams across business functions and locations to help them create, capture, and sustain value by improving responsiveness. How is this possible?
Let’s begin by evaluating the internal audit “value chain” and the steps required to maintain that “value creation” objective as a starting point. Creating value is not enough. Steps must also be taken by internal audit to help their management teams to “capture value” and “sustain value.” This requires an End-to-End (E2E) internal audit value chain mindset.
The Internal Audit Value Chain (IAVC)
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the accomplishment of strategic goals and sustain profitability.”
Internal audit’s role in the value chain requires an understanding of the organization’s:
- Strategic direction and alignment
- Risk management and monitoring
- Operational efficiencies to include Continuous Process Improvement (CPI)
- Quality and compliance
- Financial management and governance
- Responsiveness to create, capture, and sustain value while adapting to the changing business environment.
This part six installment addresses responsiveness. Responsiveness and adaptability require agility, excellent communication, and collaboration between the modern internal audit department and functional managers. To help the organization accomplish strategic goals by auditing what matters, internal audit must collaborate with management teams—striking a balance between audit vs. advisory responsibilities to maintain objectivity and independence.
The ongoing process to measure and analyze the ever-changing business environment, learn during strategy formulation, and enhance capabilities as part of strategy execution requires agility. The inability to (1) identify and mitigate risks (including emerging risks and threats) that could impact strategy, (2) no follow-up actions to validate satisfactory resolution of critical findings, (3) not addressing compliance issues, customers, or client’s complaints timely and effectively, may result in considerable financial losses and reputational damages for any organization or government institution. These are a few examples of a lack of responsiveness.
To be considered a trusted advisor, management, the Board of Directors (BoD), committees and stakeholders must believe internal audit creates sustainable value. For this to happen, internal audit must show adequate capabilities and always demonstrate integrity, competence, and due professional care. Accomplishing these is not easy. To magnify some of the challenges internal audit encounters, think about the answers to these questions as it relates to your organization. The solutions will evolve as your business environment changes.
- What are the challenges encountered by the business operations supported by your internal audit team?
- What are some of the problems your internal audit team is helping management to solve?
- Do these problems impact strategy or address critical challenges faced by management?
- What is the best way for your internal audit team to help management resolve these problems and prevent re-occurrence while maintaining its independence and objectivity?
- Will additional skills be needed to plan and execute audits and reviews that matter, recommend, and implement optimal solutions?
Given the dynamic nature of the global and competitive business environment, the organization’s priorities, risks, and regulatory and compliance requirements along-side changing customer expectations are not static. The problems evolve, and the solutions must vary. Responsiveness, flexibility, agility, and adaptability are critical for any internal audit function to address the above questions.
In the course of planning and executing risk-focused audits and reviews, internal auditors gain visibility to potential threats and fraud, critical risks including emerging risks, and the pace of evolving risks. Internal audit also has visibility to Continuous Process Improvement (CPI) projects and provides input during the planning and execution phases. With visibility to the previous audit, regulatory and compliance review findings, and CPI project recommendations, the internal audit function should track the status of all unresolved findings impacting the organization’s ability to accomplish strategic objectives. If ignored due to lack of responsiveness, the organization will struggle to react to an unprecedented event or pandemic like COVID-19. Some of the unresolved findings can result in embarrassing publicity, fines, and severe reputational damage.
Internal audit must also implement a framework to identify, prioritize, and assist management to be responsive and help escalate significant issues to executives, the board of directors, and appropriate committees timely. Assuming the internal audit function is appropriately positioned and adequately resourced, sensitive topics such as management’s inability to effectively identify emerging threats and evolving risks, implement a simple risk management, and compliance framework, fraud, regulatory and compliance violations cannot wait for internal audit teams to complete an assessment and issue a final audit report. Neither can such issues wait for external auditors to identify and report as part of the annual financial statement audits. Providing timely information to management, the BoD, and stakeholders in a manner they can understand and make appropriate decisions are critical for internal audit to add value and improve responsiveness.
Taking the Right Steps
This final installment addresses responsiveness and adaptability as a critical means for internal audit to create value by helping management and other stakeholders anticipate and adjust to evolving customer expectations, risks, and the changing business environment. It does this by evaluating and facilitating a process for management, executives, the board of directors, and committees within their respective organizations to be responsive timely. The Chief Audit Executive (CAE) needs to develop and implement a framework to monitor and evaluate progress on the following goals:
- Provide insights based on an understanding of the enterprise strategy and challenges that stand in the way of accomplishing objectives due to a lack of responsiveness. This includes timeliness making changes to adjust to the dynamic environment – Strategic Direction and Alignment, Part I of the IAVC.
- Leverage internal audit experience and lessons learned from performing reviews and audits linked to core risks impacting the accomplishment of objectives. Responsiveness is imperative for all findings related to core business risks, fraud, compliance, and regulatory issues or customer complaints – Risk Management, Part II of the IAVC.
- Promote organizational improvement – Operational Efficiencies, Part III of the IAVC.
- Help management across essential business operations and locations to consistently meet and exceed products and service quality – Quality and Compliance, Part IV of the IAVC.
- Improve financial management and governance and continuously embrace change – Financial Management, Part V of the IAVC.
Part VI – Responsiveness, connects all the dots in the IAVC and is considered the most critical step for any internal audit function to assist management create, capture and sustain value.
Note: Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management. In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.
Eight Steps to Improve Responsiveness to the Changing Business EnvironmentThere are eight primary steps internal audit teams can apply throughout an organization in collaboration with management and stakeholders to accomplish the following: improve the ability to anticipate; react and adapt to threats; meet customer needs and expectations; address regulatory and compliance issues; and mitigate rapidly evolving business risks while utilizing the right technologies. They include:
1) Staffing flexibility with the use of Subject Matter Expertise (SMEs) as needed: Demonstrating adequate internal audit capabilities to management comes down to consistently solving problems and providing support to mitigate risks they see as important. Balance internal audit vs. management’s priorities and perspectives. By assigning auditors with the right blend of functional and technical skills, industry, and consulting experience to perform reviews that matter, internal audit can quickly earn management’s trust. A combination of in-house auditors working alongside external SMEs enables internal audit and management to promptly speak a “common language” and rapidly transition to value-added activities during reviews. SMEs can probe beyond the obvious to uncover the problems management might not be aware of.
Is it possible for small and agile internal audit teams to respond faster to changing business environments? I do not know the answer. However, flexibility in staffing budgets means (1) the CAE can rely on internal auditors with cross-functional and complementary skills, (2) bring in outside experts through co-sourcing type arrangements with core knowledge of the business operations and cultural issues across regions to augment existing resources and drive the right solutions.
This is one-way internal audit can continue to add value and sustain value; by providing the expertise needed to assist management across business units and locations, as they scramble to respond to COVID-19, and apply lessons learned during and post-COVID-19.
The right co-sourcing arrangements help the CAE accomplish three things:
- Provide expertise with unique skills to help management quickly solve essential problems—add value, capture, and sustain value.
- Enables learning as internal audit gains through knowledge transfers by continuously learning new skills and correctly applying these to solve and sustain operational issues.
- The use of SMEs increases comfort levels and limits situations such as inappropriate pressures from management on audit planning and findings, resistance accepting recommendations, and implementing corrective actions.
Providing expertise to solve the right problems creates win-win outcomes for internal audit, and management without a substantial investment in headcount. Internal audit can quickly get to the root cause of significant business problems and provide solutions enabling management to respond and adapt timely to issues that impact the accomplishment of goals and objectives.
2) Track remediation of findings and resolution of issues and complaints: An organization can’t be responsive and adapt to the changing internal and external constraints if emerging and evolving risks are not identified and mitigated. Responsiveness is also impacted when audit and review findings, Continuous Process Improvement (CPI) projects outcomes, and recommendations, including fraud red flags, are ignored by management. To be responsive, internal audit needs a method to track the timely and appropriate remediation of all CPI projects, audits, and review findings by management, including independent validation of corrective action plans. Fraud red flags, customer complaints, product defects, quality, and regulatory violations can’t be ignored either.
As part of the continuous monitoring, internal audit should prioritize and communicate delays by management in remediating significant findings. Even though the remediation of audit findings and stakeholders’ complaints are core management responsibilities, internal audit must monitor and review the remediation of critical issues and evidence, if it is to provide risk-based assurance. Responsiveness can be enhanced if internal audit communicates effectively.
3) Timely escalation to the Board and Committees: Delays encountered from step number two associated with significant risks to the organization or fraud must be escalated to the Board of Directors (BoD) and appropriate committees timely. Responsiveness can be enhanced if internal audit remains objective and free from undue influence.
Lessons can be learned from the Sovereign wealth fund 1Malaysia Development Berhad (1MDB) created to attract foreign investment. Criminal and regulatory investigations revealed potential fraud of at least $4.2 billion, implicating investment bankers, politicians, lobbyists, and attorneys. 1MDB auditors in 2018 – Deloitte, and prior audits performed by EY and KPMG failed to detect and report this massive fraud.
- Could the scale of such fraud have been limited if auditors involved provided the responsiveness needed and escalation of concerns to the appropriate authorities timely?
- What lessons can other internal audit departments and their audit committees learn from the lack of responsiveness by the auditors directly or indirectly supporting 1MDB?
- What lessons can other internal audit departments learn from a responsive customer-centric company like Amazon with a culture of adapting to its changing business environment and exceeding expectations?
4) Establish an appropriate culture and tone:
Evaluate the current corporate culture, tone-at-the top, and perform reviews to validate the effectiveness of the whistleblower and ethics programs.
- Does the corporate culture encourage employees and stakeholders to report suspected fraud or violations timely without fear of retaliation?
- How has the organization addressed and resolved previous complaints?
- How does the tone-in-the-middle and tone-at-the-bottom impact the identification and mitigation of risks, reporting, and resolution of fraud and critical violations to corporate policy or regulatory requirements?
- What are the elements of corporate culture (enterprise-wide or sub-cultures across critical operations or locations) impacting responsiveness and adaptability to evolving customer expectations, business risks, and the changing business environment?
5) Evaluate effectiveness of the Crisis Management (CM) strategy: The organization’s ability to quickly evaluate the severity and impact of negative publicity and communicate the appropriate responses to the public (customers and regulators) is imperative to its long-term success. Companies like Amazon, as an example, responded quickly to the COVID-19 disruptions and succeeded at meeting and even exceeding customers’ expectations throughout the pandemic.
Information travels fast in the digital environment, and the public perceptions of initial responses often become a “permanent reality” impacting reputation. Amazon has benefited from this and increased market share and profits since February 2020 at a time that many organizations began experiencing significant losses from the COVID-19 disruptions. Ideally, internal audit will prefer for management to be pro-active and responsive to red flags and concerns before the need for a formal CM intervention. However, if done right, an organization could gain increased trust from the public how it manages adversity.
Internal audit should perform readiness-reviews, including evaluations of previous CM incidents to validate management did not only fulfill all promises communicated but delivered more than it promised to regain public confidence.
- Did the Crisis Management (CM) campaigns reviewed achieve the intended effect?
- If not, what enhancement recommendations can internal audit provide?
- What changes are needed throughout the organization to apply lessons learned during and post-COVID-19?
6) Periodic review of policies and procedures for alignment with objectives: Internal audit should perform periodic evaluation of policies and procedures to validate they achieve the intended effect. How are corporate policies and procedures understood and applied across business functions and locations to help the organization respond and adapt? The validation steps can include but not limited to, the following: Clear messaging, understanding, adequate oversight, continuous monitoring, and proper execution.
In the IIA Internal Auditor publication, “Aligning the Business,“ I argued businesses create policies and procedures to provide guidance on performing tasks. Employees may perceive that management has documented and approved all formal policies and procedures. This is not always the case. Existing policies and procedures are not always updated to reflect process changes and the current business environment and not communicated to all stakeholders timely. Some are not documented at all. Internal auditors can help management by routinely evaluating policies and procedures and ensure they align with established goals, strategy, and current business environment.
7) Minimize turnover of qualified internal auditors due to lack of challenging assignments: Losing experienced internal auditors from step number one, who have gained significant knowledge from working closely with outside experts through co-sourcing type arrangements, can be challenging to replace. There is a significant opportunity cost (lost value creation and inability to help management respond and adapt to changes) from hiring and training replacement staff. New internal auditors might not have the core knowledge of the business operations and cultural issues across regions to drive the right solutions. Be sure to vary the workload and reward excellent performance with some fulfilling, challenging, and high-profile reviews impacting strategy. Internal audit must perform audits and reviews that matter to stay committed!
8) Develop appropriate responsiveness Key Performance Indicators (KPI’s) and metrics: The relevant KPI’s, Key Risk Indicators (KRI’s) and metrics to measure the effectiveness of the responsiveness and adaptability to evolving customer expectations, business risks, and environment vary. You can’t manage what you can’t measure. Collaboration between internal audit and management (balance between audit vs. advisory responsibilities) while maintaining objectivity and independence is required to obtain consensus on appropriate KPI’s, KRI’s, and metrics. A data-driven approach providing the right information, at the right-time, in the proper format and context to guide decision making, helps improve responsiveness.
If the modern internal audit team is to be respected by managers across business operations and locations as a value-add partner, with the right capabilities to help solve critical problems, then the business-as-usual internal audit skill sets must change. That balance between audit vs. advisory responsibilities creates mutual trust and enables open communication and collaboration (feedback-loop) between internal audit and management.
Modern internal audit must function as management consultants when necessary by providing expertise timely to solve unique problems, support crisis management, and drive results. The skilled consultant does not need authority or command. Their knowledge of the business, insights, and value-added solutions are what management needs (guidance) and respect to respond to changing customer expectations, mitigate risks, and adapt to the rapidly changing business environment.
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.