Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.
In this episode, Richard sits down with Patty Miller, former Chairman of the Board at The IIA and Partner at Deloitte, and current Senior Advisor to CNM LLP, to discuss internal audit’s unique position in the organization, attributes of successful CAEs, and The IIA’s proposed new standards, as well as:
- How internal auditors can use their organizational perspective to step into a more strategic role.
- The importance of a flexible strategic plan that accounts for the variety of audit teams today.
- Key considerations for internal auditors as they help their organizations navigate the next wave of technology.
Watch the full conversation, and read the can’t-miss highlights below.
The Power of Internal Auditors’ Unique Knowledge
Richard Chambers: Patty, internal audit agents of change. I’ve described them as catalysts for transformational change that creates value within the organizations they serve. What’s your view on internal auditors taking on that kind of role?
Patty Miller: I think it’s fundamental to our role. Internal audit fundamentally is all about helping an organization achieve its objectives. And an organization’s objectives are vast, they’re changing, and they’re responsive to risks in the environment. At the end of the day, internal audit wants to help enable the organization through those challenges to positive change. And that means being proactive, it means being flexible in the planning — absolutely viewing themselves as a catalyst to positive change.
Richard Chambers: My experience has been that a lot of internal auditors accumulate a lot of knowledge about their organization. They serve for long periods of time. They have all this knowledge and they bottle it up, and they don’t really feel comfortable going forth without being asked to share their perspectives. Has that been your experience?
Patty Miller: I’d say yes and no. So, yes, there are internal auditors who are, I would say, more compliance-focused, perhaps more historic-looking auditors, and they view their role as reporting the facts they find in an audit as opposed to stepping back and saying, “What does all of that mean? As someone interested in helping this organization achieve success, can I see patterns? Can I see themes? Can I see some fundamental issues that the organization needs to be aware of because I’ve thought about it over a series of time?”
That could be from audits, it could be from interactions in hallways with people in the organization. It could be just from being within the organization and understanding the culture and what the organization is trying to achieve. I think if you can be objective and you can be analytical and think critically, you can bring some important insights to a board or an executive that no one else in the organization can. I hope that we step up to that role.
Breaking Out of the Traditional Box and Thinking Strategically Requires Courage
Richard Chambers: Patty, our research found that one of the four attributes for an internal auditor to be a great change agent is to have a strategic mindset. Now, you’ve been an internal audit leader at virtually every level. How mature do you think our profession is when it comes to what you believe enables strategic abilities within internal audit?
Patty Miller: I have to answer it kind of how I answered the last question. It depends. There are audit groups and CAEs who are way at the forefront of strategic thinking. Then there are those who perhaps don’t have a forward-thinking board or a board that doesn’t understand the value that internal audit could provide and they feel constrained. So I don’t know if I can make a general maturity statement.
I would say that those who are successful at it have clearly explained to the board what the role is or what the role could be; that it’s not just about addressing how we’re doing things today. It’s also about thinking, about what’s coming tomorrow and the day after tomorrow and the day after tomorrow; where do we best assign our limited resources to provide value to the organization? Sometimes that may be areas that a controller or a CFO would go, “What in the world is internal audit looking at that for?” Guess what? We do a lot more than financial controls. I think that the CAE — you used the word “courage” earlier — has to be courageous enough to tackle areas that traditionally weren’t in our purview. And to share their expectations for the role and not just sit back and accept what someone else thinks they should be doing.
Richard Chambers: That’s been my experience, too. What do you say to a chief audit executive who says, “I don’t need a strategic plan for internal audit. My job is to know the imminent risks facing the organization and to deploy the internal audit resources to address those risks. I don’t need to be thinking out two or three years; I just need to be focused on the risks at hand.”?
Patty Miller: Well, I guess I’d say they’re wrong. But even if you thought your job was just the risks I’ve identified today, or that maybe are going to happen tomorrow, even if that was how you viewed your job, I don’t know how you could do that without having a strategic mindset, because do you have the right resources? Can you deploy them where they need to be deployed?
Richard Chambers: And will you have them in two years?
Patty Miller: Yes. When you think beyond imminent risks to what might be around the next corner and what might that lead to, you have to think even more strategically about, how am I going to get there? How am I going to have the resources and the tools I need, people in the right place at the right time tackling the right issues? I think it’s impossible to do internal audit well without strategically thinking about, what am I trying to accomplish? How am I going to accomplish it? What are my priorities? What are my resource requirements to make that happen? And being able to have those clear conversations with your board and your executive leadership team.
Richard Chambers: If you don’t know what, or you’re not focused on what the future strategy of your business is or the organization you serve, how are you going to be positioned to address that when the time comes?
Patty Miller: Absolutely.
A Strategic Plan May Not Be One-Size-Fits-All
Richard Chambers: Patty, as we both know, The IIA’s proposed standards that they exposed earlier this year, one of the requirements in there is that, assuming it’s adopted, every CAE will need to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectation of senior management, the board, and other stakeholders. What is your reaction to that requirement? Would it be a good idea for the IIA to require a strategic plan?
Patty Miller: So I’m smiling because we’ve talked about this before. I’m a little torn on this one to tell you the truth. I absolutely think it’s important for CAEs and for their leadership team to be strategic in their thinking, and to have a strategic plan for their organization, for all the reasons we just talked about. What I struggle a little bit with is The IIA’s proposed standard, which specifies what the elements of a strategic plan need to be.
Richard Chambers: Just to be clear, that strategic plan has to include a vision, strategic objectives, supporting initiatives, for the internal audit function. So The IIA gives you very tactical instructions on putting the strategic plan together.
Patty Miller: Yeah, so my challenge is the nature of internal audit globally is quite broad. And we have everything from one-person internal audit shops to internal audit groups with hundreds of auditors. We have co-sourced internal audit groups. We have outsourced internal audit groups. We have internal audit groups who unfortunately still only focus on Sarbanes-Oxley compliance. We have internal audit groups that do broad advisory work. I mean, it is all over the place. And hopefully to the most extent, it is about helping their organization achieve success.
So now you step back and say, “How do you dictate to that wide variety of functions one way to do a strategic plan?” If they don’t document a strategic plan exactly how it’s been specified, does that mean they can’t be successful and they’re not a professional internal audit function?” I think that’s the question. Is that really a requirement to be a professional internal audit function, to have that documented plan in that form? I struggle a bit with that.
I would say yes, absolutely you need to think strategically because nobody has unlimited resources. You’d better be thinking about, where am I going to apply them to the best value? But whether or not you specifically document it the way it’s in the draft standards, I’m not sure that should be a requirement and I’m hoping that that is changed a bit in the final disclosure or final requirements.
Richard Chambers: Yeah. Well, I guess we’ll see soon, right?
Patty Miller: We will.
The Impact of Technological Evolution Extends Beyond Career Competencies
Richard Chambers: Looking ahead, what do you think is the biggest challenge facing the internal audit profession in the next decade?
Patty Miller: Clearly, the increasing evolution of technology is a challenge facing all organizations. That changes how processes are done in organizations, but if you think about it, also changes the requirements on the workforce. It changes the nature of the workforce you need, the competencies they need, the kinds of jobs they have.
There are also, if you will, societal or ethical considerations that come out of the rapid change in technology. You can think about the collection of personal information and all sorts of different new systems. You can think about jobs being, I’ll say, done away with, replaced by artificial intelligence. And there are, I’m going to use a big word here, ethical considerations that go along with all of that. So helping your organization maneuver through, not just the technological change and the competencies required for that, but also all of these subtending implications I think is going to be a huge challenge, and you like to use the phrasing “speed of risk”, an increasingly speedy risk scenario.
Check out more audit leader interviews with Richard Chambers on our Agents of Change video series channel.