Lucia Wind of COSO Champions Agility as the Key to Internal Audit Success

Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.

In this episode, Richard sits down with Lucia Wind, COSO Board Chair, to discuss her new role, internal audit’s strengths, and key areas for development, including:

• How internal auditors can use the COSO frameworks to approach new topics, such as ESG.
• The importance of communicating results effectively and being willing to pivot in a time of rapid change.
• Why an agile risk assessment will be crucial to internal audit’s success going forward.

Watch the full conversation, and read the can’t-miss highlights below.

Transcending Departments and Industries Is One of Internal Audit’s Greatest Strengths

Richard Chambers: I’ve described internal audit change agents as those internal auditors who are catalysts for transformational ideas that create value within the organizations they serve. What’s your view on that kind of role for internal audit? Do you see that as something internal auditors should be doing?

Lucia Wind: Absolutely. I think it’s critical, and where I see us being the most effective, and typically the resources that companies come to, is in our breadth of experience and our ability to be able to transcend departments, industries, different skills, and organizations. We’re one of those groups that can look at IT, controls and processes, marketing, procurement, and finance. And I think that makes us the perfect candidates for being change agents because we’re not siloed in our view, we can look at the bigger picture, the small picture, and drive the best value to any organization. 

Utilizing Frameworks to Tackle New Topics and Objectives

Richard Chambers: Let me say publicly, congratulations on your new role as the COSO chair. A lot of our audience members may have heard of COSO, but could you provide a brief description of their history and mission?

Lucia Wind: It’s been a great journey so far. It’s a great learning experience but going down a history lane a little bit — COSO has been around for a long time. The organization was first established in 1985. It was formed as a result of some of the financial scandals that were happening in the U.S. and worldwide at that time. What was established was the Treadway Commission, which is part of the full COSO name, the Committee of Sponsoring Organizations of the Treadway Commission, and was sponsored by the five organizations that were the founding members of the group. 

They’re still the current organizations that are very active and who we currently have on the board as well. The IIA, The Institute of Internal Auditors, is all about internal audit professionals, we have the AICPA, so all of our CPA members and certificate holders, FEI, financial executives, AAA, which is the American Accounting Association, and then IMA, Institute of Management Accountants. So those were the organizations that had a seat at the table to sponsor the Treadway Commission, and they are still a part of COSO right now.

Richard Chambers: So, COSO is most widely known for its two frameworks. Can you differentiate the Internal Control-Integrated Framework from the Enterprise Risk Management Framework?

Lucia Wind: Of course. The way I look at it is two frameworks that dovetail very nicely with each other. They supplement each other in the mission that they provide and the guidance that they provide. The Enterprise Risk Management Framework is the framework that will help organizations achieve their strategic objectives. It’s the big ticket risks that impact an organization that companies face, which are unique to every industry. So there’s no perfect script for that. However, the framework provides a thought-out process in which to assess those risks for your unique organization. 

When you look at the 2013 ICIF, which is our integrated framework, originally, it was published in 1992, and when I look at the controls framework, it’s the tool that helps you achieve and mitigate those services you identified in your enterprise risk management. It is so much more than that. I think many people think of it as just SOX and SOX compliance. But with the name of it being the integrated framework, it really can be used very widely throughout the organization to help you mitigate those risks and have those appropriate actions and processes in place. 

Richard Chambers: I think it’s so true, and we took great pains, I can attest firsthand, in 2013 to make sure that when that new framework came out, it was more than just internal control of financial reporting. I think you and the board members today are doing a great job of continuing to carry that message forward. Lucia, how would you envision that an internal audit professional could use these frameworks as a change agent within their company or organization?

Lucia Wind: Very recently, COSO published guidance on sustainability reporting, which takes the integrated controls framework and applies it to sustainability. When you think about being a change agent, there is an opportunity to take the frameworks that we have and utilize them for very relevant topics that most organizations face, such as ESG and sustainability reporting. The frameworks are out there to guide you agnosticically through the various processes efforts and objectives that you have, sustainability reporting being one of those. I know it’s a hot topic at every conference, event, and stakeholder that I speak to. 

Thinking Beyond the Workpaper: The Importance of Communication and Agility

Richard Chambers: Our research indicated that change agents have four strong shared characteristics or attributes. They have strong business acumen, and a strategic mindset, they’re relationship-centric, and they’re innovative. Are there any other things, any other characteristics, that you think an internal auditor has to have to drive change in an organization?

Lucia Wind: I think those are all great that you listed and I definitely agree. I think from my experience, where I’ve seen professionals be the most effective, there are two that come to mind. One of them is communication, and I know it sounds very elementary. It’s been around for a very long time. It’s how we all get around, right? But both written communication skills as well as our verbal communication skills. We can do the best audit, we can tick and tie everything, and we can have the most beautiful work papers. But if we cannot effectively articulate the results of the work and the scope that we were trying to achieve during the project to our stakeholders, our board of directors, to senior management, all of that work will go by the wayside. So communication is key for internal auditors to embrace. It’s not something that’s very easy, but it’s definitely a skill to invest in.

The other one is agility. In terms of agility, what I mean is being able to embrace change coming at you. A lot of the risks in our world and environment right now are changing rapidly. As agents of change, and as auditors, we’re going to have to learn how to pivot very quickly to embrace that change, to make sure that the projects we’re working on grab the most value. Technology changes, risks change, and so how are we absorbing all that information and implementing it into the work that we do? Absorbing change and being agile is not always an easy skill, you would think that it is, but being able to pivot will make you a more effective auditor in the long term. Those will be the two that I would add to your great list.

To Stay Ahead, Internal Audit Will Need to Develop New Skills and Embrace Flexibility

Richard Chambers: Looking ahead, what do you think are the most significant challenges that the internal audit profession faces? Say, in the next five to 10 years?

Lucia Wind: I think 10 years is very far to look ahead, a lot can happen by then. There are two things that come to mind and this is actually a question that has come up to me a lot in the last few events that I’ve been at. The two that I would list are skills, and what I really mean by that is transcending the typical skills of an auditor. I don’t think these days you have a business process that is purely manual like we had in the old days. When you had your business process auditors and you had your IT auditors, I feel like that line is starting to blur and business process auditors are becoming more well-versed in IT controls and IT testing, and vice versa. I think at some point, we will probably just have auditors, right? Their skills will be everything and they can all work in IT or business processes, and again, it goes both ways. 

That skills development will be critical because again, back then we used to have expense auditing be a very manual process where you got your receipts, you stapled them, and you walked your paper down the hall and got a manual signature on your expense report, then you got a paper check and mailed it. Right now, it’s an app and you scan a picture and there’s a magical workflow in the background, and next thing you know, there’s a direct deposit in your bank account. So even one of the most basic business processes is now fully automated. And that rate of change is happening all around us. Skills transition between IT and business processes, and adaptability to that, will be key. 

Then the other aspect that I think will be a change that is starting to occur but will need to happen much more widely and effectively is an agile risk assessment. I don’t think we can as auditors and professionals in the risk space just sit there once a year, do our risk assessment, and maybe tinker with it a little bit before the board meeting to make sure we’re good. I think it’s going to have to be a living, breathing document that is updated daily, constantly to reflect the resource blend that you need to have to get the work done. That you need to get done to make sure the project makes sense because if you do your risk assessment a year before and then a year later you get to do that audit, it may not be the most relevant thing that you should be doing, resource-wise, company benefit wise, board benefit wise, so agile risk assessments and skills development.

Richard Chambers: I think those are great observations. I absolutely agree with you. Both of those are significant challenges and will be essential for internal audits to overcome. Lucia, thank you so much for your insights on COSO and how you see internal audit’s role in driving change. And best of luck to you in your new role as the COSO chair.

Check out more audit leader interviews with Richard Chambers on our Agents of Change video series channel.