Skip to Content

Waves of Change 

Articles Jon Taber, CIA, CPA, CFE, CFF Oct 09, 2023

In a post-pandemic, digitally transformed world, the concept of governance stands out as more relevant than ever. Originating from the ancient Greek term kubernao, which means “to steer,” governance today has evolved to represent the complex art of guiding organizations through modern challenges and stormy waters. 

However, the current environment demands more than just navigation. Organizations need foresight and agility. Adaptability, transparency, and innovative leadership are critical to governance, as with ever-increasing challenges come more opportunities. Today’s leaders must embody these principles to help determine whether their organizations survive and thrive while riding the waves of change. In this context, internal audit’s role is critical, acting as a guiding light for boards to effectively govern in this digital age with confidence.

The Evolving Board

In the last three years, boards, specifically audit committees, have experienced a significant increase in their roles and responsibilities. The Audit Committee Blueprint, released this year by the National Association of Corporate Directors and KPMG, highlights 10 essential areas of focus for audit committees going forward:  financial reporting and expertise; risk oversight; environmental, social, and governance (ESG) risk and disclosures; finance function talent; audit quality; internal audit value; transparency; compliance and culture; critical alignments; and audit committee focus.

Terri Vaughan, audit committee member at Verisk Analytics, a data analytics and risk assessment firm based in Jersey City, N.J., says the pressure boards are receiving from investors, customers, employees, and other stakeholders is “off the charts.” She adds, “Boards are having to step back, refresh, and ask themselves: What is it that we can do here?” In her view, governance is not complex, but managing all the risks associated with corporate strategies is more than challenging.

Anne Bramman, audit committee member at McCormick & Company, a global flavor company based in Hunt Valley, Md., adds that the required skills of boards are changing. “Companies no longer look for financial expertise only,” she explains. “Many focus on deep industry expertise, an information technology background, and financial proficiency. The specific need will depend on the industry.”

Cybersecurity, privacy, artificial intelligence (AI), ESG, and diversity, equity, and inclusion (DEI) are common concerns of today’s audit committees. Vaughan stresses the need for ESG frameworks and organizations to support their ecosystem, including suppliers, customers, and other stakeholders.

Diane Bridgewater, an audit committee member at Ankeny, Iowa-based convenience store chain Casey’s, questions how the use and adoption of AI will change governance. “How are boards making sure they are exploring the use of AI with eyes wide open for deriving its many benefits while managing its risk if guidelines and appropriate use cases are lacking?” she asks.

Internal Audit as a Strategic Partner

As boards struggle to address all these changes and new governance concerns, internal audit can help. The function can start by being a strategic partner to the board. A flexible audit plan. Annual audit plans are a thing of the past. The contemporary corporate environment, marked by unpredictable changes, demands flexibility and adaptability. Auditors must pivot as situations evolve, aligning strategies with the current landscape. 

By continuously benchmarking against developing applicable leading practices, internal audit can recalibrate its audit methodologies to be practical and in sync with modern demands. The area of focus in the Audit Committee Blueprint of “critical alignment” can transpire here.

“Internal audit needs flexibility with its plan and needs to align priorities,” Bramman says. “Internal audit can make itself very valuable if it has a holistic approach aligned to strategic objectives.”

Going forward it will be more important than ever for internal audit to help audit committees maintain critical alignment throughout the organization in the areas identified in the Blueprint report — culture, purpose, strategy, goals, risks, compliance, controls, incentives, performance metrics, and people.

Auditing with insight and foresight. The evolving role of internal audit can be compared to being on a road trip, with the view out the windshield symbolizing the broad range of possibilities. At the same time, the relatively minor rear-view mirror captures the limited scope of hindsight. While the rearview mirror remains essential for analyzing past decisions and actions, the windshield signifies the much more important act of looking ahead to make informed decisions.

Outdated audit functions solely focus on adherence to regulatory norms and processes. The approach of “we can only audit the past, not the future, and we should never be engaged in any project that management is currently working on” has limited merit.

Internal audit must transition from merely assuring compliance to offering strategic guidance to management and the board. The function must be part of the organization’s transformation process, and the transformation process must be based on transparency.

Internal auditors should avoid repeating the same messages from management. As a working group member in the Audit Committee Blueprint report noted “make sure the committee is getting information, not just data. … With real information, the committee will be in a position to discuss and provide insight regarding the critical issues.”   

The power of the organizational chart. At its core, governance revolves around having the right people in the right positions. In Good to Great, Jim Collins defines the triad of effective management: The right people on the bus, the right people in the right seats, and the wrong people off the bus. This philosophy resonates when internal audit considers the organizational chart as more than just a visual representation. Instead, it is a map, pinpointing strengths and weaknesses.

Take for example an observation that materializes during a project review: Some department functions need to align within the hierarchy. The organizational structure can be a contributing factor to inadequate segregation of duties. This is where the organizational chart plays its best card, offering a clear vantage point to divide roles, responsibilities, and chain of command.

A thorough review of an organizational chart should raise leading questions: Is there an appropriate staff allocation? Are the staff’s skills commensurate with their functions? Are there discrepancies in the chain of command? Such analysis should not be a one-off review. Instead, to the extent possible, it should be embedded in all audits.

From a board perspective, a main focus here is on talent in the finance department. The Audit Committee Blueprint notes: “…it is critical for the audit committee to stay attuned to the needs of the CFO and the finance organization. Does finance have the necessary leadership, talent, skill sets, and other resources?” 

A focus on ESG and DEI. Companies must pay more than lip service to ESG and DEI initiatives. Internal audit must go beyond merely verifying numbers and validating data for these two emerging areas. ESG and DEI should become an inherent part of the audit process. The goal isn’t just to validate but to collaborate. The Blueprint report provides a forward-looking consideration to “recognize the increasing stakeholder demand for high-quality ESG disclosures.” As one of the working group members observed, “Audit committees today need to focus on the quality of the information that their companies are including in their sustainability reports and elsewhere.”

Quality information is possible when auditors partner with the business, offering guidance in devising cost-effective solutions that address long-term ESG challenges.

These solutions may be industry specific. If so, internal audit can benchmark the organization’s report against those of its competitors. Benchmarking can help companies discover areas where competitors have reduced waste and increased efficiencies. Organizations engage in these types of initiatives when it makes sense financially, so by looking at the competition, internal audit can get one step ahead in the decision-making process. Internal auditors can assist management in evaluating profitable and sustainable solutions for their organizations and stakeholders, and as a result improve the value of these disclosures.

Cyber and privacy risks. Addressing cyber and privacy risks is a must for organizations. It is part of the risk oversight that audit committees need to assess continuously. CAEs who do not include these types of reviews in their audit plan will need to explain why to their boards. With increasing digital footprints and a rise in sophisticated cyber threats, companies are more vulnerable than ever.

That vulnerability is not only in the digital space. Another element of physical security was added with remote work arrangements. “In a hybrid environment, protected data is going and being printed everywhere,” Bridgewater says. “Data privacy is much more challenging with a very widely distributed workforce.”

Cybersecurity experts agree that user education is the most effective method to prevent cybersecurity and privacy incidents. As a Blueprint report working group member noted, “crisis readiness is critical. Make sure the company is staying on top of its risk assessments.”

In addition to tabletop exercises, internal auditors can partner with their IT or learning and development departments to proactively educate users on common attack vectors. A typical cyberattack is business email compromise (BEC). BEC is a cyber scam in which the attacker targets a business, tricking the organization into diverting funds to a fraudster’s account. To address this threat, internal auditors can send detailed requests, like a fraudster would, to departments that control disbursements — payroll, accounts payable, and treasury — to raise awareness of these malicious attacks. Why wait for something to happen? Boards want organizations to be crisis ready.

Algorithmic auditing. It is not just a catchy term; algorithmic auditing is a bridge to the future of internal auditing. While some internal audit functions may still not be using technologies such as large language models, machine learning (ML), or other AI, it’s undeniable that the use of these technologies is growing. Organizations, and even the vendors partnering with them, increasingly integrate these AI tools into their core processes.

But with this digital change comes greater responsibility for auditors. Internal audit’s value derives from focusing on key, emerging risks. One Blueprint working group member observed, “Internal audit is looking at a broader portfolio of risk today, so they need people with new skill sets. They don’t need to be a jack-of-all-trades, but they need to have a deep enough understanding of the issue to assess the risk.” This statement could not be more accurate for the internal auditor who is striving to understand AI.

The modern auditor must delve deep into the algorithms, understanding the details of how these models function and, more critically, how they make decisions. The path forward is being able to ask intelligent questions about model transparency, data integrity, decision routes, and potential biases.

If the auditor cannot thoroughly review the ML or AI model in question, an alternative is to test it. For example, if the vendor cannot share its proprietary model, internal audit can use scenario-based testing in which the internal audit team is the customer to validate back-end data. While internal auditors embrace AI’s wonders, they must do so with due diligence, responsibility, and a dose of creativity.

Future Ready

As digital transformation continues, governance has never been more critical. Boards have gone through significant change over the last three years, and these waves of change will continue. As organizations and boards face new challenges, auditors must have the knowledge and tools to help address them.

Jon Taber, CIA, CPA, CFE, CFF

John Taber is an internal audit manager at Casey’s in Ankeny, Iowa.