10 Questions That Keep Chief Audit Officers up at Night
10. How can we improve our image and show that we are adding value?
Communication skills are imperative to an effective audit team. Auditors are often hindered in this by the volume of technical data they must condense and the sometimes inconvenient truths they must deliver. While the auditing team is an essential component of many organizations, other departments may not readily see the value we add. It is part of our job to effectively communicate that value and show that we are here to serve.
9. Is my department meeting the board of directors' expectations, the audit committee, and senior management?
Internal auditors need to keep a healthy distance from those they assess to do their jobs effectively and independently. At the same time, audit findings and remediations are visible at the highest level of authority at an organization, and these authorities—not auditors—ultimately set the risk tolerance and chart the way forward in addressing outstanding risks. One of our challenges is maintaining the distance necessary to be an objective advisor while being sensitive and responsive to the organization's needs.
8. Are we missing any of the organization's key risks?
Is our internal audit agile enough to prioritize and deprioritize risks as the organization's needs change throughout the fiscal year? Are we leveraging technology and personnel to detect and analyze new risks effectively? Have we sufficiently understood the business strategy and operations across all organization levels to identify key emerging risks, educate stakeholders, and take advantage of any opportunities?
7. Are we aware of the relevant changes in our regulatory environment?
Regulatory changes are never made in secret, but it can be easy to fall behind or misunderstand them. Auditors must continuously renew their knowledge of these regulations or risk serious consequences.
6. Where can fraud occur?
The Internet of Things. Cloud computing. Data protection. Cybersecurity. Crisis response. These are all part of our everyday working lives, and they are all extremely susceptible to abuse and impenetrable to many of their users. How can I train my employees to detect abnormal behavior and unusual communication from outside and inside the firm? What are new areas of business ripe for fraudsters to take advantage of a lack of regulation?
5. Is our methodology helping or hindering our ability to audit faster, cheaper, and better?
Auditing can be a conservative industry, traditional in its methods. Sometimes this means that the work of auditing becomes hindered by cumbersome processes and bloated bureaucracies. At the same time, auditors are often asked to do more with fewer resources. Project management methodology and technology are vital to doing more with less—are we using the right tools?
4. Do I have the talent I need in my department to meet today's and tomorrow's needs?
Are we using an old-fashioned staffing model or out-of-date job descriptions and roles? Do my people have the training they need? Are we attracting cutting-edge talent? Are we retaining the talent we have? Are we getting the most from them? These are challenges for any department, but they can be essential to auditing teams due to the work's cyclical nature.
3. How can I increase the number of resources I have available given my increasing mandate?
Audit teams are being asked to do more with less. They must deal with this both by prioritizing more effectively and by finding untapped help where it exists. Limited resources should be focused on risks that directly threaten the achievement of enterprise objectives in order to deliver critical value to the organization. Auditors should also consider utilizing the expertise of team members in other departments (project managers, business analysts, accountants). Technology can also help (see below).
2. How can we use software and data analytics more effectively to provide better coverage?
What is the bleeding edge of data analytics? What improvements have been made in data monitoring and tracking since our last audit? What is my organization's tolerance for new ideas and IT products? What new vendors are on the market? We must continuously remain up-to-date on tech advancements that can improve our audit quality while saving money.
1. How can I better help the organization achieve its objectives?
It has been said that if you want auditing that matters, then audit what matters. The audit team must be intimately aware of the organization's enterprise objectives and plan its audit to be laser-focused on risks that directly affect those objectives. Have we prioritized risks with the company's goals in mind? If not, then they are correct to question our value.
Answers to these questions can be challenging to determine and even tougher to implement, but one of the most cost-effective ways to begin the process is with ongoing professional training designed to address these issues with proven best-practices and expert instruction.