The new imperative for internal auditors is clear.
Companies increasingly expect their internal audit function to take on a more strategic, collaborative role within the business.
At first glance, that seems to be a complex notion. Independence and objectivity safeguards indicate that internal auditors should not be proposing or setting the same strategies they will have to audit. And if they get too close to the same employees in other units they are auditing, it might appear that their objectivity, as defined by Institute of Internal Auditors (IIA) standards, is compromised.
Nonetheless, experts say it’s possible for internal auditors to be strategic in their own way and improve their audit procedures through collaboration without impairing their objectivity. Carolyn Saint, CPA, vice president of internal audit for 7-Eleven, said internal audit teams can contribute to strategy by examining the things that need to go right for strategy to be executed—and the things that could go wrong—and advising management on those.
“It would be helpful to make sure that all the capabilities you are taking as a given are going to be able to be delivered, because they are the foundation of your strategy,” Saint said. “So that’s one way I think [internal] audit can be more strategically focused.”
Paul Sobel, the chairman of the board for the IIA, said that during the 1990s, many chief audit executives (CAEs) had moved away from focusing solely on controls and concentrated more on consulting and trying to add value to the business in other ways. Sobel said that the events that led to the passage of the Sarbanes-Oxley Act of 2002 temporarily shut the door on internal auditors’ value-added tasks and forced them into more of a “police officer” compliance and controls role. But internal auditors are beginning to branch out more and provide additional value in a strategic role again, he said.
Numerous surveys also show that companies are asking internal auditors to be more strategic. A majority (54%) of more than 500 CAEs participating in EY’s Global Internal Audit Survey 2013 expected that in the next two years, internal audit’s primary mandate will be providing stakeholders with business insights and serving as a strategic adviser to the organization. But just 28% said playing that strategic role currently is the primary mandate or focus of internal audit.
AN ADVISORY ROLE
Internal auditors are not supposed to make any decisions about strategy, Sobel said, because that is the responsibility of management and the board. But, according to him, there are two ways for internal auditors to take a strategic role:
Internal auditors can audit strategic risks. Strategic risks can include competitive pressures that could make the company’s products obsolete, changes in customers’ expectations or preferences because of socioeconomic shifts, and an unexpected loss of a key partner in a company’s supply chain. Although those strategic risks are not always easy to audit, Sobel said, they need to be on internal audit’s radar screen because of the danger they pose to organizations.
Internal auditors can operate in an advisory capacity on strategy. The CAE’s role with respect to strategy is to help management think about the risks involved and resources needed when considering a strategy, Sobel said. The CAE can provide an assessment of whether the company’s capabilities or systems are sufficient to support a strategy. Even then, the CAE doesn’t advise management regarding pursuit of a strategy, but rather informs executives and management of options that have not yet been considered. The CAE’s role is to direct objective information about resources to management, which can take the advice and decide whether to abandon the strategy, outsource, add more resources or better technology, or pursue the same path anyway.
Brad Ames, CPA, a director of internal audit for Hewlett-Packard, said internal audit serves in this advisory capacity by aligning its work to examine the potential risks associated with the strategy.
“It’s not like you’re making the decisions,” Ames said. “As long as you’re not making the decisions toward what strategy the company is using, you can maintain objectivity.”
Outside the CAE’s office, collaboration between internal auditors and other business units also is growing, Ames said. He said it’s helpful for internal auditors to coordinate with other governance bodies at the company—such as legal, enterprise risk management, and even external auditors—to position the department and the company to respond to the risks that would inhibit the strategy.
“If the collaboration gives more knowledge in response to strategic risks the company faces, then that’s a healthy thing,” he said. “But if the collaboration is rationalizing too much risk, then you’ve got to be careful.”
HOW TO COLLABORATE
The experts’ tips for maintaining independence and objectivity while serving the organization in a collaborative fashion include:
Strike the right tone. Maintaining the appropriate distance while crafting relationships with other business units is important for internal auditors, according to Saint.
“Get too close to your auditees, and obviously your judgment could at least look like it’s being impaired, whether it is or it isn’t,” she said. “Get too far away, then you’re the gotcha, the police squad. That’s out of favor with management teams. … Nobody is advocating for audit to go back to a day when they were known as the police force or the gotcha squad.”
Rely on infrastructure. Proper infrastructure is critical in enabling internal auditors to maintain their independence as they work with other groups, Sobel said.
For starters, in North America 73% of internal audit departments report functionally to the audit committee, according to IIA research published in April. That gives a CAE who is getting undue influence or is being asked to suppress findings the ability to go to the audit committee and explain the problem.
“You have to develop a good relationship with, say, your audit committee chair and develop a trust with your audit committee and make sure your executives know that you’re not afraid to use that trump card, if necessary,” Sobel said.
But many CAEs (about 37% in North America, according to the IIA survey) report administratively to the CFO. Often this means the CFO approves the CAE’s expense report, writes an annual review, and proposes a salary adjustment, which often needs to be approved by the audit committee. And, of course, the CFO controls internal audit’s budget.
That’s why Sobel said it’s better for the CAE to report administratively to the CEO (and 33% do in North America, according to the IIA survey). But Sobel said potential problems with the CFO reporting relationship can be overridden if the CAE is experienced and confident, with direct access to a strong audit committee.
Use standards as a guide. IIA standards (available at tinyurl.com/kydbqvz) provide further guidance with respect to internal audit independence and objectivity. Their requirements include:
- The CAE reporting to a level within the organization that allows internal audit to fulfill its responsibilities.
- The CAE communicating directly with the board.
- Internal auditors having an impartial, unbiased attitude and avoiding conflicts of interest.
- Disclosing any impairment or apparent impairment of independence or objectivity to appropriate parties.
- Internal auditors refraining for at least one year from assessing specific operations for which they were previously responsible.
- A party outside internal audit overseeing any assurance engagements for functions the CAE controls.
“It’s a fine line for internal auditors, because we understand what [collaboration] means, and we understand the risks that imposes on us,” Ames said. “Practicing our standards safeguards close collaboration.”
Other safeguards desired by the organization can be written into internal audit’s charter (an IIA sample charter is available at tinyurl.com/n7gj6ju). In addition, Ames said, remaining true to the standards required of a CPA can help preserve objectivity. Adhering to CPA ethics requirements—as well as following IIA standards and having a healthy reporting relationship with the audit committee—can help preserve the independence and objectivity auditors value highly.
Outsource when necessary. Cases do arise in which internal auditors have to recuse themselves. Sobel was working for a company when the practice of backdating and spring-loading of stock options was getting a lot of attention in the news. He decided that the company needed to have an audit done to see if it had a problem with backdating or spring-loading.
Because Sobel received stock options, he declined to have his department get involved in the audit. He had an independent firm perform the audit and report directly to the audit committee.
“No matter how much integrity I think I have, not everybody knows me,” Sobel said. “Not everybody can get into my mind. So in that case, I had somebody else do the work.”
Preserving that integrity is essential as internal audit seeks to contribute more value to organizations. Without independence and objectivity, Saint said, internal audit’s entire value proposition breaks down.
“It’s really the No. 1 tenet that we have to follow,” Saint said. “Because if we don’t have objectivity, we’re not auditors, and then why should anyone listen to us? Then we’re analysts. Our professional standards guide us, protect us, and allow us to maintain our unique position as assurance providers and advisers within our companies.”
Organizations increasingly are asking internal auditors to play a more strategic, collaborative role. Internal auditors can audit strategic risks and operate in an advisory role on strategy by informing management of risks involved and resources needed when pursuing a strategy.
Internal auditors are collaborating more with other business units. This collaboration can be a benefit if it gives internal auditors more understanding of risks, but it can be damaging if it leads internal auditors to rationalize risks.
To maintain the necessary independence and objectivity, internal auditors need to keep an appropriate distance as they craft relationships with other business units. Independence and objectivity can be maintained through proper reporting relationships and by following industry standards and CPA ethical guidelines. At times, outsourcing audit work may be necessary to avoid the appearance of impropriety or a conflict of interest.
Ken Tysiac is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at email@example.com or 919-402-2112.
- “Checklist: Internal Audit Oversight,” Aug. 2013, page 20
- “Checklist: Beef Up Internal Audit,” June 2011, page 20