Reimagining Resilience

The  last few months have catapulted internal auditors into rethinking and  reimagining how they can best serve their organizations. Most of us have  experienced and witnessed businesses either progressing or regressing within  this evolving risk landscape. So much has changed — perhaps  permanently.

While life is about constant change, the pandemic has  highlighted how rapid and deep change can be. Resilience in its basic form is  the capacity to achieve your mandate in spite of the challenges those changes  bring. Although many people see resilience as the capacity to bounce back, for  me it also involves bouncing forward to a new state no matter how  difficult that may seem during this time of crisis. In my year as chair of The  IIA’s Global Board of Directors, I will work to help our profession “Reimagine  Resilience.” For internal auditors and their organizations, resilience demands  far-reaching transformation. 

Challenges and Opportunities

The  public health dimension of the pandemic has naturally been at the top of the  current agenda; however, its other impacts have accelerated preexisting  challenges for businesses. One of the key issues over the past few years has  been business model transformation. The components of this complex trend can be  summed up in a neat formula: D2C5. If D2 is  data and digital, which represents what many business models are increasingly  based upon, these factors are further shaped by five pressing influences:   Customer expectations of online, real-time  services backed up by fast fulfilment. A Competitive landscape that is highly dynamic and  unpredictable. Culture and Conduct, which are  molded by organizational philosophies and reputation. Compliance imperatives guided by the regulatory  landscape. Cyber platforms that present  risks and opportunities.

Each of these trends can have profound implications. For  example, during the pandemic the control environment associated with the cyber  world has rapidly evolved. It is often no longer predominantly on-site at the  business. It has moved into homes and onto the cloud, making the cyber  environment much more vulnerable. Layered over these immediate challenges are  new geopolitical trends, climate change, and the fourth industrial revolution.

But threats bring opportunities for those ready and willing  to grasp them. Throughout the pandemic, for instance, internal audit has had to  find smarter ways of conducting audits and offering advice quickly through the  effective use of technology. Many internal auditors have revolutionized their  working processes and departments to operate in tandem with their businesses.  They have become trusted business advisors and represent pockets of excellence  throughout the world. Elsewhere, internal audit leaders must become more  catalytic by encouraging innovation and smarter ways of working. They must  realign their objectives with what is happening in their organizations.

I urge internal auditors to rise to the challenge by  focusing on five core imperatives — technology, agility, collaboration, talent,  and tenacity.

A Resilient Life

The theme of resilience resonates with me because I grew up in an orthodox, deprived family during the apartheid years in South Africa. Both of my parents died in middle age — an experience that forced me to derive independence from a young age. These events led to me constantly and tenaciously reimagine my future.

Today, I have more than 26 years of corporate experience, including working as an internal auditor in diverse industries, and I have become known as a change agent in the profession. For 16 years, I also served as a nonexecutive director of both public and private sector entities, which boosted my strategic and operational knowledge. Being an internal auditor has provided me with the best platform for making a significant difference in the organizations in which I have worked.

I moved from being senior vice chair to global chair of the IIA Global Board of Directors in July 2020. I am currently CEO of the Independent Regulatory Board for Auditors (IRBA). The IRBA is a public protection statutory body established to protect the financial interests of the public by ensuring registered auditors and their firms deliver services of the highest quality.

Recognized as “South Africa’s Internal Auditor of the Year” in 2014, I have overcome my fear of public speaking by addressing conferences around the globe on a variety of topics, such as corporate governance, risk management, auditing, combined assurance, women in leadership, and the impact of AI and robotics on industries. In addition, I participate in mentoring circles, panel discussions, and networking sessions throughout the world, and I strongly believe in developing young minds.

I participated on the King IV Corporate Governance technical committee before its release in November 2016. I am also one of the contributing authors to the seventh edition of Sawyer’s Internal Auditing. This book is used globally at universities to teach internal auditing. Most recently, I chaired a global working group spearheading The IIA’s Three Lines Model, which is an update of The Three Lines of Defense and was released in early July.

I continue to reside in South Africa. And with my supportive husband, we are raising two teenage daughters and a Maltese poodle. 

Use Technology Strategically

Technology enables internal auditors to be  strategic and focus on the bigger picture. With the holistic view technology  can provide, auditors can help accelerate smarter ways of working and improve  decision-making within the organization.

For example, at one  stage in my career, I worked in a bank as chief audit executive (CAE). My team  was given the job of evaluating different governance, risk, and compliance  platforms that would be rolled out across the enterprise. We wanted to use the  same platform to create a holistic view of the risk and control environment.  Thus, we developed common taxonomies for the organization so we were consistent  in our reports to governance committees. This eliminated the common problem of  partitioning risks within individual business units, and it added value to  reporting to governance committees because the first, second, and third lines  could talk consistently about any particular risk.

Few technology implementations run smoothly from day one,  and there will be frustrations along the way. If the organization is lagging  technologically, internal audit will need to encourage management to speed up  its implementations. Internal audit departments with few automated processes  should start small and build over time. Where the business has been at a more  advanced technological state than the internal audit department, for instance,  internal audit should leverage the business’s expertise and experience to  develop smarter audit techniques. This will enable internal audit to align its  capabilities with the enterprise.

Be Agile to Address Priorities

For  internal auditors, being agile means ensuring their teams are aligned with  organizational priorities and can respond quickly. Aside from just embracing  agility in the audit process or methodology, internal auditors must provide  relevant insights and advice that foster innovation and improvements within  organizations. Too many audit departments are locked into an annual audit  planning cycle that stifles creativity and flexibility. CAEs need to be  confident that their planning process gives them the power to frequently  realign and change their audit program so it reflects their understanding and  anticipation of emerging issues.

Taking such an approach elevates the creation of the annual  audit plan into an exercise in combined assurance. In my time as a CAE, for  example, the process was underpinned by holding an annual audit planning  workshop with key stakeholders. As part of such a workshop, the CAE should ask  the CEO, chief risk officer, nonexecutive directors, and others how they see  the risk and control environment and whether they think internal audit has  missed anything important. The CEO has an opportunity to directly articulate  the key risk and control areas internal audit should address. That may include  new corporate activities or mergers and acquisitions, where an internal audit  exercise could add value. The CAE can list these critical activities and build  them into the internal audit plan.

While the annual plan  retains its importance in the agile audit process, it is equally important to  engage more regularly with the audit committee and other board committees. A  quarterly meeting can be effective in sharing which audit activities are in  progress and which have been suspended because they have ceased to be key  priorities for the organization. Agility enables the audit department to be  risk-based in its planning. It enables the CAE to use his or her seat at the  table to listen to what’s happening and align the audit plan to reflect the  organization’s most important priorities. 

Collaborate to Communicate

Collaboration is critical to internal audit’s  success. While some internal auditors have specialist knowledge of particular  audit techniques or business areas, most are not specialists — those  specialists are most likely sitting in the first and second lines. Internal  auditors must leverage the knowledge and expertise in those lines without  crossing the line of objectivity. In fact, CAEs must see collaboration as a  strategic role for the internal audit function. Collaboration creates alchemy  across the three lines — that magical process of transformation and combination  that happens when people work with each other and respond to, anticipate, and  reshape what is taking place in the organization.

Strong relationships  within the business also can help auditors better understand the nuances and  dynamics of the risk landscape. In my roles as a CAE, every audit engagement  began with a facilitated audit planning workshop with the managers in the  target area and the risk and compliance people. That enabled the team to create  a risk and control matrix that was reflected in the audit process and in the  reporting.

Using this approach, the  audit’s stakeholders receive regular communication from the audit team, and  during the closing process the same participants come together in an  issue-remediation workshop. The same players that were there at the planning  stage discuss with internal audit the exposures that the organization faces if  the risk manifests, the root cause of those risks, and the agreed management  action to address them. Not only is the whole process done faster through  collaboration, it also avoids internal auditors making best practice  recommendations that may not be pragmatic for their particular organizations.  Management actions are firmly owned by the very people who have helped identify  them. 

Hire the Right Talent

Effective talent management enables internal  auditors to achieve the optimum mix of skills and experience to serve their  organizations well. Internal auditors at every level of the profession must be  committed to continuous professional development. That entails both  understanding what is happening in their own industries and in the internal  audit profession at large. The IIA globally has been enhancing its services to  help internal auditors achieve their potential as professionals who can become  trusted advisors with a holistic outlook.

Traditional internal  auditors are fast becoming obsolete. Today, all auditors need to have the  knowledge and skills to audit the entire value chain. Recruiting the right new  people, sometimes with nontraditional audit skills — those with different ways  of thinking, who embrace change and are willing to adopt new ways of  working — has become even more essential. CAEs must ensure they work with human  resources (HR) so the recruitment and selections processes do not reflect  outmoded stereotypes of attracting the right internal audit talent. By working  with the head of HR, CAEs can ensure they communicate what the business needs  and that the right skills are developed within the team.

CAEs must use all the tactics available to build talent,  including hiring secondments from the first and second lines and cosourcing  from a third party. Staff must be equipped with the right IIA qualifications  and training. CAEs can boost skills by creating networking forums in specialist  areas to spread knowledge among the entire team. They should consider using The  IIA’s Global Internal Audit Competency framework alongside the audit plan to  identify gaps and plan for the future skills needed in the team. 

Be Tenacious

Individuals  and organizations that are not tenacious are not resilient. Tenacity enables  internal auditors to change challenges into opportunities. That requires having  the courage to share views on the risk landscape that business leaders may not  want to acknowledge nor accept. That is what it takes to have a seat at the top  table.

Looking at the challenges posed by D2C5,  tenacity becomes a vital resource. In some respects, I am fortunate enough to  have a bold personality — I am naturally able to voice my opinions, accept  criticism, and learn from my mistakes. But I also live by a certain motto that  says competency builds confidence. If internal auditors commit to lifelong  learning and are able to demonstrate their competence to themselves and others,  they will develop the courage necessary to understand, learn, speak up, and  open themselves to new challenges.

On a very practical level for CAEs, that means using their  seat at the table to invite constructive criticism. I have always used customer  satisfaction reviews as part of my internal audit routine. After every audit  and also biannually, I issued a report card to stakeholders. Any criticism is a  good starting point for improving the audit process. Sometimes it is going to  be difficult to retain one’s composure, but internal auditors must be able to  navigate corporate politics. As I often say, persistence pays profits. 

Work Together

If that all sounds like too much to take on,  internal auditors should remember they are not alone. They are part of a global  profession that is working together to achieve excellence in organizations. The  Global IIA is a treasure trove of resources — whether it is the formal  qualifications, training, webinars, and conferences, or the informal networks  and special interest groups. For example, Global IIA has been very active  during the pandemic, putting together the COVID-19 Resource Exchange where members  can freely tap into the different ways of auditing during this time. Working  with the Global IIA team has been fantastic for me, personally, because it has  allowed me to network with like-minded individuals.

I urge all internal  auditors in this difficult time to reimagine resilience, both in their own  professional lives and in the internal audit functions in which they work. Be  enthusiastic, commercially aware, and not afraid of moving into uncharted  territory. If internal auditors can learn to better shape the destinies of the  organizations that we serve, we can help those organizations bounce forward as  they emerge from the crisis.