Reflections on the 75th Anniversary of our Profession

Sally Chan CPA, CMA, CGEIT et ACIS

May 17, 2016

Navigating the pages of the February 2016 issue of the IA Magazine Celebrating 75 – Perspectives on our Profession and contemplating the tagline of the upcoming 75th Annual IIA international conference in July – Internal Audit Rising… 75 years of Progress Through Sharing, I am amazed at the sound value propositions that have elevated our profession to where we are today. I am happy to share a few thoughts.

Who we are

More often than not, audit clients’ knowledge of our profession is less than we think. While the scope of internal audit has continued to evolve and expand, with a remarkable shift from traditional finance, operations, IT to strategic business alignment, risk management, project assurances and more, audit clients are more interested in “what did we do wrong?” than “what can we improve together”. The image of the traditional stereotypical 20th century auditor still exists. The good news is that the opportunity to up the game is abundant.

“Steps to Marketing Your Audit Department” in the August 2015 Issue of the IA Magazine specifically addresses the topic “of getting clients to think beyond their perceived notions” about us. An open and timely discussion on these matters can no longer be overlooked.

A plea for mutual understanding begins with a clear knowledge of who we are and who our clients are:

-  In our audits, do we make enough effort to listen to, and focus on what is important to them?

-  As a rule, is our dialogue leaning towards more collaborative practices, with an emphasis on what can be improved realistically without compromising independence?

-  Have we considered reaching out to our clients outside of audit engagements e.g. in corporate town-hall meetings or other communications sessions?

-  Do we take advantage of audit entrance meetings to further explain or reinforce how our current audit processes work, or tailor our conversation in terms of client’s interests and concerns?

-  Are we convincing to our clients that our objective is not “gotcha” but to deliver “mindfulness” and “second sober thoughts’’ of value?

I hope such questions can be tested for their usefulness and become talking points within the IIA Canada Thought Leadership Community.

In the fall of 2011, the newly established Internal Audit function at AIMCo (Alberta Investment Management Corporation) posted a co-op/intern position at the career centres of three universities (the University of Alberta, the University of British Columbia and the University of Toronto). This initiative was part of our internal audit recruitment strategy to contribute to the education of the next generation of internal auditors. The first AIMCo co-op student reported for work in January 2012. She was keen on returning to AIMCo as an auditor upon her graduation. Although we couldn’t offer her a junior full time position on her graduation, I now consider her internal audit’s goodwill ambassador at the Bank of Nova Scotia.

The above is a small example of introducing our profession to someone at an entry level, but there is no stopping us from seizing opportunities to demonstrate who we are.

Building Relationships: Relevance and Credibility

Because of the nature of our work, audit interactions with businesses are not day-to-day, but rather a point-in-time or a period in-time or a combination of both. In view of this, a trusted relationship is difficult to build. The onus is on internal audit to impress upon our audit clients what we do is relevant to them. Relevance enhances value delivery, credibility is our reward.

One way to make sense of the changing business world is to ask ourselves how relevant we are. One way to approach relevance is to pre-assess the auditor’s level of understanding of the current business being audited, and where to get the right resources or expertise to assist on demand. It is also important to go in with a reasonable understanding of the audit client’s current and future concerns. This consideration will help us anchor our recommendations in the proper context, e.g. their meaningfulness in relation to the organization’s strategy, risk appetite, business and technology alignment, and maturity level, as appropriate.

Sometimes networking with ex-auditors who have returned to their respective business units and soliciting their feedback can yield a different perspective on relevance. Regular dialogue and open-ended questions to clients is a good way to learn about our work from a different point of view. Such approaches are currently not in the auditors’ official playbook. Exploring these possibilities may encourage a new generation of auditors to think beyond their sphere of knowledge and think globally about their industry, competition, culture and be in tuned with the activities that are already on corporate leaders’ radar screen.

Back in the early days of AIMCo’s organizational transformation in 2010, internal audit took a bold step to seek buy-in from the audit committee and senior executives, notably the CEO, COO and CFO, to provide independent, on demand advisory services to management as its primary responsibility for one year. The rationale was simple – we questioned the relevance and value of after-the-fact findings in point-in-time audits for a company that was undergoing major business and organizational change. We concluded that on-demand advisory services were the right approach at the time to allow governance, risks and control considerations to be incorporated into the businesses during their development.

AIMCo advisory services ranged from reviews and commentaries on draft policies on investment operations to providing advice on the implementation of IT governance framework and the selection of the external auditor for the then CICA Section 5970 certification. During that time, internal audit experienced an increased number of on-demand advisory requests, including invitations to participate in interviews of new recruits: an indicator that we were on the right path to being viewed as credible business partners and a relevant source of knowledge. We were mindful that during these engagements, internal audit did not impair the independence and objectivity as defined in our audit charter that was fully aligned with IIA Standards 1100-1130.

Staying Current: Harnessing the Past, Present and Future

It may seem trite to overstate the obvious. But the reality is that there is only a finite amount of knowledge we can gain in our life and career. We need expertise, specialists and well-heeled consultants to work with us along the way. When this happens the methodical transfer of state-of-the art knowledge in house and a well-designed in-house learning system cannot be ignored.

Keeping up-to-date does not mean that we don’t look to the past. The past is not passé. When we look back at history to glean lessons learned from others, the immediate question is usually: “Can it happen to us?” But we also need to ask: “Can it happen today? If not, why not? What has changed?” History is full of cautionary tales about taking bad risks that can serve as great case studies for internal auditors to sharpen their acumen on business risk assessments. The same can be said of the success stories from others. The important aspect to keep in mind is that what works for one company may not work for another. Therefore, instead of posing the question, “Can it happen to us?” we should ask, “Will this success formula work for us given our appetite for risk?” By looking back with an eye to the future, we can uncover a timeline that can serve as a continuum rather than a fixated point in the present.

Take the subject of Privacy audits as an example. In Canada, if you want to find out what’s new in the era of social media or significant privacy breaches, penalties and recommendations in the past, learning opportunities are at your finger-tips. The Office of the Privacy Commissioner website www.priv.gc.ca for one, will bring you up-to-date with many new ideas to tackle this subject in your audits. You can look for relevance both internally (in your audit program) and externally (in Canada or beyond). This website also has current information on fraud, ID theft, online reputation, Cyber risk and privacy liability. As it happens, on March 18, 2016 the Canadian Privacy Commission posted a request for public input on privacy and online reputation (https://www.priv.gc.ca/media/nr-c/2016/an_160318_e.asp). Many privacy auditors are well-positioned to participate and spread a positive image for us!

Future Re-imagined

In March, 2016, Richard Arthurs, Chair of IIA Canada Thought Leadership Committee moderated a session Ensuring Boards get value from Internal Audit – How Internal Audit can help Audit Committee with their ever increasing responsibilities (https://chapters.theiia.org//IIA%20Canada/Pages/Thought-Leadership.aspx). One panelist’s comment particularly hit home a nagging situation that has been around for a long time: the perception of the lack of business acumen in auditors. Unfortunately perception is reality. This situation was more acute in the early days when technology auditors considered themselves a special breed. Typically these audits narrowly focused on IT without a fair understanding of the business drivers associated with their work. Nowadays the mantra of “Business drives Technology” is increasingly gaining resonance. It may not be a long shot to surmise that in future, business and IT audits will intersect. “Integrated” audits will further mature. There will be more “interoperability” between financial audit, internal audit and IT audit because they are all interdependent, just as business technology partnering, business and IT alignment is now the new normal.

After criss-crossing diverse career paths since the eighties, moving from systems to accounting, then to internal audit, risk management and compliance, and finally returning home as CAE at AIMCo for 5 years until the end of 2013, I can testify to the mobility and rewarding career internal audit can offer.

The 21st century auditor looks at IT as a business enabler. Emerging technology risks are not labelled as IT or business, but both at once. Cybersecurity, Internet of Things, Big Data are a few examples that come to mind. This notion does not discount the fact that there will always be specialist technology auditors of a higher degree of vertical specialization.

One Last Message

A bright future awaits auditors who have the ability to articulate IT risks that businesses must mitigate. Those who have skills to communicate with a shared business and IT vocabulary will find a niche and be able to create their own jobs, and be able to move comfortably within or outside the audit function.

The velocity of change in our time is indeed phenomenal. At the turn of this century, many Google apps were mere fantasy; Cloud computing had a lot of skeptics; iPhone, iPad, and Facebook were in their infancy; Twitter was hardly audible; disruptive technologies like Uber and Airbnb did not exist. In light of advancements such as these, internal audit must seize the opportunity to look at issues through a new lens and to consider more innovative ways of performing audits.

Christine Day, the former CEO of Lululemon once said: “I am far more interested in “what could be” - what’s needed – than I am in “what is”, because by the time there is evidence, somebody else is already doing it”. Again, this message is reinforced by Cineplex Canada’s Gord Nelson, Canada’s CFO of the Year for 2016, on “the need to anticipate, rather than to react “, and “why innovation is no longer optional”.

Internal audit’s scope and sphere of impact and influence will rest with auditors equipped with sound business knowledge and a keen eye on the future and seeing what’s next.

END

6 of 6