Organisations have faced immense disruption over the past year, but disruption on some scale is with us constantly and this creates opportunities as well as threats. Internal audit is in a unique position to help identify both and to support businesses, so that they emerge stronger and more resilient – but do internal auditors feel equipped to do so?
We partnered with Protiviti to hold a series of roundtables and interviewed chief audit executives (CAEs) to find out how their organisations fared during the pandemic and what they learned from the experience. They discussed what they would do differently when the next disruptive event strikes, and what the disruption has caused them to do differently that they will continue doing.
The questions were intended to identify lessons from disruption in general, not just the pandemic and, significantly, 72 per cent said their organisation had been affected by disruption from a source other than Covid-19.
Individual experiences varied, but there were common themes. Respondents generally believed that the pandemic had enabled them to introduce long-touted efficiencies and innovations far more rapidly than expected – many mentioned faster, more flexible internal audit planning and reporting processes.
Speed and agility were a critical element in many positive experiences. Interviewees in all sectors marvelled at the speed with which they had moved to remote working in the first lockdown. “If you had told me we would all be able to work remotely a year ago, I would have said it was impossible,” said one. Another agreed: “If we had embarked on a project to move everyone to remote working, I would have said that it would take about 18 months.”
The pandemic also proved a bonding experience. “I am so proud of my team!” was a common refrain. Communication and staff wellbeing were key concerns – reinforcing the emphasis on “soft” skills, leadership and effective communication in internal audit’s toolkit.
Many said internal audit’s reputation and relationships with management had improved, and they’re receiving more requests for support. CAEs generally saw this as good for the profession and planned to provide shorter, sharper reports and to work more collaboratively. Increased management appreciation of the importance of good governance and risk management was also cited as a benefit.
Technology was crucial during lockdowns and respondents believed it has increased their teams’ confidence using it. They hoped to build on this and incorporate more data and automated systems in future.
When asked about organisations having to take more risks to survive in a riskier world, 66 per cent of roundtable attendees believed that internal audit can assess, and comment on, the balance between internal and external risks, which would inform their contribution to the impact of future disruption events (such as climate change, financial liquidity problems, cyber attacks and challenges to their organisation’s sustainability).
CAEs agreed that internal auditors must improve their ability to spot emerging risks and scan horizons. Some said they had learned lessons about paying more attention to what was happening in other parts of the world. Others enthused about new opportunities for collaboration and sharing knowledge, such as the Chartered IIA’s forums.
“I can see from the individual risks where the perfect storm could come from, but risk management needs to do this work for us, and when they miss things, so do we. I can use the World Economic Forum’s annual risk review and other documents that are published (by the IIA and risk groups), but this creates group-think. I don't feel that we spend enough time talking with our risk colleagues to look far enough ahead at what could be on the horizon. I think we have the skills to do this, but don't prioritise it enough,” said one CAE.
“We need a better balance between hindsight, insight and foresight in our reporting – often, the latter is neglected. We also need better use of visualisation (less wordy reports) to aid sharper and quicker reporting,” agreed another.
View from Mark Peters - Managing Director, Protiviti UK
“The internal audit profession has also experienced significant and positive changes over the past few years, which have only accelerated during the pandemic. CAEs and their teams are experiencing the rapid adoption of technology and evolving business models underpinning the importance for them to develop and advance next-generation components relating to knowledge and skillsets in governance, methodology and enabling technology.
The vision for internal audit will also change over time as new business objectives, risks and technologies materialise. For this reason, an effective next-generation function will be adaptable: flexible enough to respond to disruptions that can’t be seen today, but which will definitely arrive tomorrow.”