As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
Despite this call to action, overcoming short-termism remains a stark challenge for many companies. In fact, as the National Association of Corporate Directors’ (NACD) 2015 Blue Ribbon Commission observed, “factors encouraging a short-term focus are stronger now than ever before.” Additionally, in a 2015 report, the Conference Board contemplated whether short-term biases might jeopardize future business prosperity altogether.
Yet if short-termism is a sizable challenge, so too is the commitment to understanding why short-termism is so entrenched as a business practice and the task of mitigating its harmful effects. In July, the Anti-Fraud Collaboration, a group of organizations focused on fighting financial reporting fraud, hosted a webcast on Coming to Terms with Short-Termism. The discussion, which I was privileged to moderate, featured top experts and generated a wealth of useful takeaways for participants across the financial reporting supply chain.
Let’s look at a few key takeaways from the discussion.
1. Acknowledge and Define the Complexities of the Issue
To address the challenge of short-termism, it helps to understand the complexities of what companies are up against. For one thing, “short-termism” doesn’t equate to short-term activity, which isn’t necessarily bad. NACD Chair Karen Horn, director of Simon Property Group, observed at the outset of the webcast that the “long term is made up of many, many short-term actions.”
Another tricky step to understanding the complexities of short-termism is how to define “short-term” at your company. Is it a month? A quarter? A year? “It depends on the company,” said panelist Bill McCracken, president of Executive Consulting Group LLC. McCracken, who previously served as CEO of CA Technologies, added that even within a company the meaning of “short-term” can change according to different contexts, such as strategy or compensation.
2. Think Strategically
However complex a challenge combatting short-termism may seem, there are several simple solutions for directors to consider. One of them is this: think strategically. A strategic mindset helps short-term actions align with long-term goals. “Boards really need to be conversant with the company strategy,” said Horn. McCracken agreed, noting that board members should become “activist directors” who immerse themselves in the details of the company, its strategy, and its industry. This engaged approach, he added, can help directors be prepared to handle situations such as share buybacks or changes to dividend policy where questions of short-termism may arise.
Similarly, strategic thinking can also help directors gauge the validity of the use of non-GAAP measures. “Shouldn’t the use of non-GAAP measures also tie in to the strategy of the entity?” asked Douglas Chia, executive director of the Conference Board’s Governance Center. “Absolutely,” responded fellow panelist and KPMG Partner Jose Rodriguez.
3. Strengthen Tone at the Top…
One danger of short-termism is that it can heighten fraud risk across the enterprise. Companies need to ensure that management is setting the right tone at the top. “I can’t underemphasize tone at the top,” said Rodriquez. “How do [senior executives] talk to employees? Is everything geared around meeting that analyst’s [earnings] expectations?” From his auditor’s viewpoint, he added, “that would be concerning.
4. …But Don’t Forget the “Mood in the Middle” and “Buzz at the Bottom”
While emphasizing tone at the top, panelists also stressed that short-termism shouldn’t be a point of concern for only senior management. Many instances of fraud, noted Rodriguez, occur outside the C-suite. “It’s middle management and lower management that had to get that sales number to a certain amount of dollars,” he said, and this pressure can lead to channel stuffing or other undesirable activity. Such activity is what audit committees, auditors, and the board ought to be looking for, added Bill McCracken.
5. Dial Down the Emphasis on Quarterly Results
“Our entire [financial reporting] structure is built around quarterly reporting,” said McCracken. While eliminating this quarterly focus might not be possible—or even desirable—panelists agreed that reducing the quarter-to-quarter mindset was an important part of addressing short-termism. “Obviously you can’t get entirely away from that,” said Chia, “but there are ways you can reduce the emphasis and build on the timeline that you think is appropriate—not what you’re being told by the analyst community.”
Fostering robust communication internal and external communication is a core priority for the Anti-Fraud Collaboration, and communication at all levels was a recurring theme throughout this webcast. When discussing the use of non-GAAP measures, Horn noted that “the chairman of the compensation committee should be talking to the chairman of the audit committee as these measures work their way in to [compensation] programs.”
Likewise, communicating effectively with external investors and other stakeholder parties is critical. “Boards need to really understand investor communications,” said Horn. “The way that we can pursue long-term value creation is in partnership with our investors.”
Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.