In this edition of AuditTalk, Scott Arnold, president and CEO of AuditBoard, spoke with Anthony Pugliese, President and CEO of The Institute of Internal Auditors (IIA), to discuss how The IIA is working to elevate the profession to be ready for the challenges of a fast-moving environment like cyber risk, ESG, and more — because when internal auditors can do their work better, that work serves the greater public good. Hear why:
- Cyber risk is a natural growth area for internal audit.
- Helping create value around ESG is in internal audit’s DNA.
- Technology learning is a matter of survival, and how The IIA is using competency modeling to support upskilling at multiple levels.
Watch the full conversation, and read the can’t-miss highlights below.
Cyber Risk Is a Natural Growth Area for Internal Audit
Scott Arnold: “In the most recent OnRisk 2022 guide from The IIA, cyber risk has come out as one of the very top areas of concern for auditors and companies, and AuditBoard saw this as well in a recent survey that we published. What are your perspectives on that? How should auditors be thinking about the role that they can play in helping organizations manage cyber risk?”
Anthony Pugliese: “If you think of the basics, our profession’s role is to help the board and management — the first and second lines in our Three Lines model — be prepared to understand risk, understand their role in mitigating risk, and help management with decisions and things that they need to be aware of. Cyber has become so dramatically important so quickly… There’s an almost three million person workforce gap in terms of people available and skilled to do cybersecurity. Given where we sit in organizations, I have to think we are uniquely qualified and situated to provide that service on what we are calling the key risk for the last two years.”
“I think we’re able to really assist management and boards with understanding cyber risk and responding appropriately to it. Even helping management and boards describe to the public — say in a disclosure, exactly what they’re doing to mitigate risk — we can also assist in areas like that. So, it’s such a big topic, and knowing the workforce gap is what it is, I think we have an active role here, and I think we’re able to claim this space. A lot of professions say they’re the ones that own cyber risk, that they’re the ones that are doing it, but we really are uniquely qualified. We are already there. It’s a natural growth area for us and I think it’s important for us because cyber risk isn’t going away anytime soon — it’s just getting more and more significant.
Why Helping Create Value Around ESG Is in IA’s DNA
Scott Arnold: “Well, if cyber is the top of the headlines today, right below it is the whole issue of ESG… I know you’ve spent some time up on Capitol Hill in discussions with the SEC, this is an area that could explode in the profession going forward. How do you think we can help prepare the profession to be ready to play a key role in ESG as well?”
Anthony Pugliese: “ESG is another example like our opportunity with cyber. Anecdotally, I think the one question I get the most from members is why is ESG happening so fast, and I have to always remind them it’s not. It’s actually been happening over decades. It’s beginning to hit North America, specifically the US, a little bit quicker than it has in the past, but companies have been doing this since the ’90s, especially in Europe. I think what’s causing it to mature at a more accelerated pace is that the world’s changing. We are seeing climate change issues and a range of issues that are proving that those disclosures are important. We’re also seeing investors demanding it, and we’re seeing trillions of dollars in mutual funds being set up around companies that are practicing sound ESG policies. When you layer in data and technology, it really starts to make these things important.”
“With ESG, the risk of not hitting targets may cause investors to lose faith and organizations to lose value — on the flip side, if handled well it causes value to increase. Our profession can be a part of that value creation… We are good with policies and procedures. We understand data management really well. We also understand calculations and estimations — how those should be done. That’s a big part of what’s under the ESG umbrella. We certainly understand control design and review, understanding operating effectiveness, and putting it all together and disclosing it. We can provide assistance in that process. Management owns it, but we’re there to help. When you think about what we do best, those five things I just mentioned, that’s who we are. That is our DNA as a profession. And when we have laws and regulations, we have the path to understanding how consistency can start coming into the equation.”
Technology Upskilling Is a Matter of Survival
Scott Arnold: “You know that technology is near and dear to our heart, so I’m wondering what role you think, in the midst of these transformations that are going on around cyber, ESG, skill transitions, what role do you think technology can help play in elevating the profession?”
Anthony Pugliese: “I’m going to try to change the wording there, but it’s not just changing the profession — it’s requiring the profession to change. Everything is becoming more and more driven by IT, so actually — not to be dramatic — it’s a matter of our survival as a profession that we engage in technology learning and skilling.
“What we’re doing to help with that evolution is we’re looking at our certification, our flagship CIA, and other certifications to help in that transition. We also are looking at our standards — our IPPF, the core of our standards — and understanding whether we need to modify and evolve these standards to cover IT areas and give our members guidance.”
“We’re also looking at competency modeling. What does a person need to understand if they’re entering, say cyber, as a topic at what I would call a basic level of understanding. What about someone that’s been dabbling and they need an intermediate level? Or the advanced levels, people that know what they’re doing, but they want to keep in touch with the updates and changes. With modeling based on competency frameworks, members can jump in where they need. Around each one, we have what we call portfolios: conferences, self-study products, webinars, other mechanisms to help them learn the way that they’re best able to learn, and that’s an individual choice. And we’re making sure we partner with organizations like AuditBoard to help get that message out.”
Elevating the Profession and Doing Good in the World
Scott Arnold: “I know it’s important to The IIA, and it’s obviously very important to AuditBoard as well, that we make those types of opportunities available to those who may not otherwise be able to afford them. In partnership with The IIA, AuditBoard has sponsored the Elevate Scholarship Program to provide access to CIA training for those who were either dislocated by the pandemic, or now with a merit-based award. That’s part of, I think, the heart of AuditBoard and The IIA to do good and help others. Anthony, are there any other elements of your strategic vision going forward that center around this idea of not just elevating the profession, but doing good in the world?”
Anthony Pugliese: “We do a lot of good in the world. Like other professions can state, we are a benefit to the public interest. We do things that protect people and protect organizations where you may have investments or other things relevant to stakeholders. Our strategic plan, which is newly released in August of 2021, looks at six high-level goals that we want to use as our objectives to help members do better — and when our members do better, we believe that benefits the public interest at the highest level.”
“We want to make sure that we do advocacy work so that what we do and the way we serve the public interest is understood by legislators and standard setters and other regulatory bodies around the world, in the US for sure, but around the world as an objective… We want to evolve our image and our brand. I want people to know what it is we do when they hear the words internal auditor, Certified Internal Auditor, and Institute of Internal Auditors. I want those to have a meaning that we help shape about who we really are. We don’t just do financial controls, if you even know that — we do so much more. Another one is to enable the profession for the future by evolving our IPPF and making sure that we’re seen as a profession that is technology savvy. That’s a long lift. That’s why we say prepare for the future — it’s the sum of those parts, adding them all up. We’re working to lift the profession so that it’s ready for challenges like cyber and ESG — it helps our members do their work better, and that work serves a greater public good.”
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.