Since the financial crisis, risk management and compliance have come under renewed C-suite scrutiny. Tighter regulation – and levels of enforcement – mean executives need more assurance than ever before. However, internal audit has stepped up to the challenge.
Was there ever a time when boards wanted internal audit (IA) and compliance officers to ‘box-tick’ long lists of risks and controls? Perhaps for a few businesses. But there’s certainly no appetite to return to those days among most firms now.
Today’s C-suite is looking for internal audit to generate insights that can inform business strategy and drive operational change.
“Internal audit needs to demonstrate business acumen and commercial nous,” says John Machin, risk consulting partner at KPMG in the UK. “The business environment has never been more competitive, and new risks are constantly emerging. Internal audit needs to show that its recommendations are in line with the organisation’s key strategic priorities.”
Machin says that IA also needs to be more “forward-focused” with a keen view on emerging risks. “C-suites don’t just want retrospective reviews of how risks and projects have been managed,” he says. “They want internal audit to act more as a trusted advisor and critical friend – and give its views on what is going to happen, whether the business is achieving its strategic objectives, and if it’s on track to hit its operational targets.”
Stuart Wooldridge, partner and internal audit leader for KPMG in the UK’s insurance and investment management practice, agrees IA needs to increase its focus on emerging risks. “Retrospective reviews are important,” he says. “They ensure you can find out where problems occurred and how risks were mismanaged. But they do not provide a view of where the business is going.
“The C-suite expects internal audit to have an opinion on strategy and future performance and whether the organisation has the right control environment in place to help it succeed,” he continues. “Internal auditors have a valuable contribution to make in challenging management about how it is managing the risks around strategy. And executives want their input.”
Over the past few years, risk appetite and corporate culture have become increasingly important for boards. Executives understand that they need more assurance on these issues from their IA teams. In particular, they need to know how the first and second lines of defence (front-line executives and professional risk managers) view them, are communicating compliance levels and setting the right tone.
It has also become increasingly common for the C-suite and management to call on IA’s experience and expertise to help with the governance of business-critical projects, not just review their progress or assess how well the related risks are being managed.
“Internal audit needs to show that it can be agile and react to different needs,” says Machin. “Internal audit functions need to develop subject matter experts and show that they have a pool of talented people to serve the future needs of the organisation – whether that’s within the function itself, on loan from within the business, or through a third-party.”
Machin also believes that IA needs to be more innovative about how it presents its insights. “Risk information needs to be presented in a more meaningful way, one that executives will understand, engage with and act upon,” he says. “It needs to be clear what the key risks are and how they can be controlled or leveraged.”
Hence the importance of having subject matter experts capable of translating risk assessments into actionable, credible operational decisions. Wooldridge adds that C-suite expectations apply equally to every member of the audit team – and not just those at the top of the function.
“Heads of internal audit have shown themselves to be increasingly commercially-savvy when they talk to the board,” he says. “But the function itself still often operates as a ‘policeman’ and is seen by some parts of the business as a brake on commercial decision-making. That needs to change.”
But even at that top level, the typical C-level executive hasn’t got time to read through hundreds of pages of risk information. “They need to understand what risks the business is facing, what they should focus on and what management actions should be taken,” Wooldridge stresses.
“Executives need internal audit functions to be more confident and assertive in their recommendations. If internal audit can’t trust its own work or judgment enough to speak out and be heard, why should the board listen?”
This article was written by Stuart Wooldridge, partner and internal audit leader for insurance and investment management at KPMG and John Machin, risk consulting partner at KPMG.
Subscribe to future editions of Cornerstone for the latest thinking on internal audit.