Why Auditors Need to Stay Innovative to Succeed
Meeting compliance requirements is not enough. Organizations do not achieve their objectives simply by adhering to satisfactory systems of internal control. To succeed, for-profit organizations are expected to innovate to remain viable in today’s competitive environment, and non-profit entities are realizing that they must also search for new products and services, and periodically examine their operating practices to reduce cycle-time, lower costs, and increase customer satisfaction and quality. The methodologies of the past may have made the organization successful, but there is no guarantee that those same practices will lead to success in the future.
As much as this is understood by those engaged in daily operational activities, internal auditors must realize that they are not immune to these changing dynamics and the same expectations are levied on them too. As the governance, risk, and compliance landscape continues to evolve, internal auditors must search for new ways to determine what will be in their audit plans, how they will perform their reviews, and become creative in the support of the board’s and management’s objectives.
There are many trends driving innovation in internal audit. For example, the requirement to prevent and detect fraud, the need for faster and more agile auditing, adding value with fewer resources, transitioning to risk-based auditing, and using data analytics to examine larger numbers of records. Other examples include better root-cause analysis, effective problem solving, and formulating pragmatic recommendations. Recently, paying closer attention to the organizational culture and governance, incorporating environmental and social considerations, and helping management improve efficiency and effectiveness have also gained widespread interest.
Following are some additional examples of ways that innovation can be applied by internal auditors in their work to remain successful.
Innovation in Risk Assessments
Expand the rating of risk impact beyond monetary measures. The impacts can also include bodily injury, reputational damage, negative publicity, brand erosion, lost opportunities, employee demotivation, lower productivity, lawsuits, and increased employee and customer turnover.
Add velocity and persistence to the rating of risks. Velocity pertains to the speed at which the risk may affect the organization, program, or process. While some risks are slower to occur, like demographic changes and hurricanes, others like technological change and cybersecurity attacks, occur more quickly. Persistence relates to the duration, or length of time, over which the risk’s impacts may linger if the risk were to occur after the cause of it stops. The impacts of some risks are short-lived, like a truck accidentally spilling its cargo of milk, while others may last a long time, such as the same company’s truck spilling gasoline, caustic chemicals, or pesticides.
Expand the risk rating used beyond letters (e.g., High, Medium, and Low) and consider using a 5 or 7-point numerical scale more conducive to mathematical calculations. This approach will enhance the risk assessment giving it more granularity and the ability to differentiate the rating of risks better.
Expand the assessment of risks to incorporate statistical inputs, historical error, accidents, insurance claims, incident rates, correlations, simulation, and probabilistic elements. This will help reduce the subjectivity of the risk assessment by incorporating more objective, quantitative, and historical information.
Conduct broader brainstorming sessions to seek input from younger and not only more experienced personnel, from operationally involved but also individuals removed from day-to-day participation in the process, and those who think differently and creatively about unusual, emerging, and diverging scenarios. Recent developments have shown the importance of imagination in the identification of risk events, and a diverse participant pool can help make this happen.
Develop a partnership with management to use Key Risk Indicators (KRIs) more strategically so the organization moves toward pre-emptive risk management, and continuous monitoring and auditing. While Key Performance Indicators (KPIs) have been widely used by many management teams, KRIs are a less common type of metric, yet they are essential to better understand the behavior of key risks.
Innovation in Your Audit Plan
Offer a broader selection of consulting and advisory services to the organization. There are many services internal auditors can provide without jeopardizing their independence or objectivity; the key is to clarify roles and responsibilities and abstain from decision-making or operational activities that would challenge the auditors’ primary role of providing reasonable assurance. Many organizations need help identifying opportunities to improve efficiencies, reduce waste and rework, increase customer satisfaction, and reduce cycle time. The focus on traditional compliance procedures kept auditors away from making much-needed recommendations in these areas for far too long.
Recalibrate the allocation of time between compliance, financial, IT, operational, cybersecurity, and advisory services based on the organization’s evolving risk maturity. When processes are unpredictable, a focus on compliance and standardization is to be expected. But as programs and processes mature, internal auditors should consider the benefits of shifting their focus and re-allocating more resources to other types of reviews that would also make a significant contribution to operational excellence.
Audit non-traditional, yet essential, subjects, such as:
Corporate culture and ethics: Examine the organization’s tone at the top and in the middle, the culture and adherence with desirable values espoused by the organization and other key stakeholders.
Knowledge management: This is indispensable as aging Baby Boomers exit organizations, and more recently, many workers across age groups engage in what has been dubbed the Great Resignation. The result is these departing workers could take their institutional knowledge with them. Also, future organizational success will depend greatly on acquiring, managing, deploying, and institutionalizing knowledge that will evolve constantly due to our rapidly changing world.
Physical security: Verifying that safety measures are in place to protect and effectively respond to safety threats to employees, customers, and others at worksites and while traveling on business. While much of the attention has been placed on work-from-home (WFH) arrangements, some may fail to notice that travel is increasing, some employees are returning to their worksites even if temporarily, and pandemic risks threaten employees’ health wherever they are.
Training and development: You’ll need to verify an adequate return on investment (ROI) and return on assets (ROA), knowledge was acquired, operational performance was improved, and that high-potential talent was identified and groomed to assume managerial and leadership positions. These two terms, training, and development are often combined and treated as one, when in fact training pertains to short-term skills and doing the immediate job, while development has a long-term orientation and focuses on developing mindsets. Organizational success rests on the ability to do both simultaneously across the workforce.
Social media: To determine if the organization is maximizing its use of social media technologies and techniques to hire, onboard, connect, and motivate staff; communicate timely, accurately, and appropriately with customers, and strengthen its public relations infrastructure. Best-in-class organizations are leveraging social media to increase employee engagement and strengthen their corporate cultures, so internal auditors can assess the degree to which their organizations are doing this effectively.
Project management: You’ll need to to make sure funds are allocated based on reasonable criteria, that projects are planned and conducted effectively, and that lessons are learned and used for future enhancements. This is to ensure that projects deliver the agreed-upon scope with high quality, on schedule, and within budget.
Change readiness and execution: To determine if the organization is willing, capable, and follows through effectively when operational and technological changes are required.
Innovation in Planning
First in audit planning you should identify the business objectives all audits attempt to help management achieve. If business objectives are not defined, internal auditors should work with management to do so.
Brainstorm risks pertaining to the program, process, or unit being audited rather than only making minor, or even cosmetic, changes to past audit programs.
Evaluate business dynamics more thoroughly so only key risks and controls are tested.
Examine more rigorously the timing, type, format, and extent of data and documents requested.
Brainstorm fraud scenarios with every audit and while incorporating detection techniques, also include fraud deterrence and prevention procedures.
Make the internal audit department’s mission, vision, and value statements the driving force behind every engagement. This requires that these attributes be communicated to all audit staff, be properly trained on them, and require adherence and follow-through using the performance evaluation process.
Innovation in Fieldwork
There are different types of sampling methodologies, so question the method used historically. If internal auditors are not careful, they could be engaging in controls-based testing rather than risk-based auditing by defaulting, as many do, to non-statistical random sampling.
Go beyond sampling and test the entire population whenever possible and feasible. Most organizations have digitized the vast majority of their transactions, and data analysis and visualization tools are easier to use than ever before and are widely available at competitive prices.
Develop testing procedures based on the answer to the question: How do we know if this risk is happening?
Include fraud detection procedures with every audit based on the answer to the question: How can we find out if fraud scheme X is occurring?
Use subject matter experts (SMEs) whenever possible to help test unusual dynamics and provide a transfer-of-knowledge opportunity for the audit staff.
Require root cause analysis and promote the use of tools, such as Ishikawa Diagrams, Affinity Diagrams, 5 Whys, Is-Is Not Comparative Analysis, Pareto Charts, Scatter Diagrams, brainstorming, Process Flow Analysis, SIPOC Maps, Run Charts, Control Charts, and Histograms.
Innovation in Reporting
Use various templates based on the type, goal, and urgency of the communication.
Update the layout of internal audit and audit committee reports with the goal of making reports shorter, and easier to navigate and read.
Increase the use of charts, graphs, color, and other visual elements in audit reports.
Streamline the reporting cycle to publish communications faster.
Write every audit report from the perspective of a change agent who wants to encourage the reader to embrace the recommendations and opportunities for improvement noted.
Innovation in Performance Monitoring
Make sure performance evaluations balance technical and soft skills that measure individual and team results.
Develop Key Performance Indicators (KPIs) that focus on outcomes, not only output.
Balance quantitative and qualitative performance metrics from within the internal audit department, but also from clients.
Introduce and sustain a post-audit client survey and a 360-degree review program so there is a balanced performance review mechanism.
Innovation in Employee Development
Enhance the department’s onboarding process and hire non-auditors to broaden diversity.
Deploy and sustain a robust coaching and mentoring program, including reverse mentoring, to encourage inclusion and advancement.
Use internships, co-sourcing, subject matter experts (SMEs), inbound and outbound rotation programs to achieve needed staffing levels and create a more dynamic team.
Encourage professional development by providing training.
Innovation is the generation, and translation of ideas into goods or services that create value. These ideas are often used to satisfy the needs and expectations of customers. There are many ways that internal auditors can become innovative in their work. Each department has its own needs and resource capabilities, expectations from the board and management, and operates within its organizational culture.
With changes occurring so rapidly around us, internal auditors must not only understand innovation, but they must also embrace, adopt, and thrive in it. By making innovation a standard operating practice in their administrative practices and the planning, fieldwork, and reporting phases of their engagements, internal auditors will also find new, better, and creative ways to serve their clients. There are many benefits to being more innovative, including increased productivity, added value provided to audit clients, and better supporting the organization’s system of internal control. With an innovative mindset, internal auditors will be better equipped to act with speed and confidence as they deliver greater value to their clients.
Dr. Hernan Murdock, CIA, CRMA
Vice President, Audit Content
Dr. Hernan Murdock is Vice President, Audit Content for ACI Learning. Before joining ACI Learning he was the Director of Training at Control Solutions International, where he oversaw the company's training and employee development program. Previously he was a Senior Project Manager leading audit and consulting projects for clients in the manufacturing, transportation, high tech, education, insurance, and power generation industries. Dr. Murdock also worked at Arthur Andersen, Liberty Mutual and KeyCorp.
He is the author of Operational Auditing: Principles and Techniques for a Changing World, Auditor Essentials: 100 Concepts, Tools and Techniques for Success, 10 Key Techniques to Improve Team Productivity, and Using Surveys in Internal Audits, and many articles on topics related to internal auditing, whistleblowing programs, international auditing, mentoring programs, fraud, deception, corporate social responsibility, and globalization.
Dr. Murdock was a senior lecturer at Northeastern University where he taught management, leadership, and ethics. He has conducted audits, consulting projects, training sessions and delivered invited talks and conference presentations at internal audit, academic and government functions in North America, Latin America, Europe, the Middle East, Africa, and Asia.