When North America went into COVID-19 lockdown a year ago, organizations everywhere were sent into a largely reactive mode, doing whatever it took to help their business adjust to the new normal. After transitioning workforces to remote bases and activating business continuity plans, business-as-usual resumed, but with new priorities and areas of focus for the immediate future.
For audit and risk leaders, one of the biggest priorities over the past year and going forward has been finding ways to embed efficiency, automation, and modernization into their business functions and processes. At the same time, they have had to balance the needs and expectations of management, the Board, and the audit committee. In a recent series of virtual audit leader roundtables hosted by AuditBoard, audit leaders in California discussed the strategies they have employed to add value to their businesses while working remotely. We’ve collected insights from the three most-discussed topics below. We would also like to express our appreciation to the audit leaders who shared their experiences and their time.
How CAEs Are Adding Value while Remote
More than ever this past year, internal audit and risk leaders have had to pivot effectively between providing assurance and advisory services, all the while focusing on adding value while keeping objectivity in place. One way that risk leaders have found success in complex stakeholder environments is by clearly outlining expectations for the first, second, and third lines in projects such as readiness assessments. Below are additional strategies risk leaders at the roundtable have employed to add value:
- Developing a “menu” of services to enhance internal audit coverage, including: audit projects, assurance function design, capability mapping/maturity assessments, engaging in governance forums.
- Helping management build up the second line of defense (e.g. InfoSec, compliance, and cybersecurity functions) by helping to frame discussions around how to design those functions.
- Building a culture of compliance: preparing the business for what to expect with upcoming regulatory changes through regulatory readiness assessments and pre-implementation reviews.
- Reducing the amount of process audits in favor of moving toward a risk-based approach and focusing on areas of heightened risk, such as cybersecurity.
- Improving the risk assessment process by standardizing risk ratings across the organization.
- Aligning with external auditors early on to understand the risks they will be focusing on versus testing controls the same way they have been tested before.
- Performing a controls rationalization exercise to optimize controls and eliminate duplicative testing efforts.
- Performing integrated engagements with other lines of defense wherever possible in order to improve coordination in working toward the same goals.
- Focusing on audit preparedness for M&A so that audit’s perspective can be readily available to factor into purchase price assessment, working capital assessment, etc.
“If you ask employees how working remote is going, they will all say it’s going great and that they’ve not missed a beat. I don’t think I’ve ever heard anyone say that they’re struggling — and I think the truth probably lies somewhere in the middle. There are a variety of reasons why employees might be less productive, for example, they’re caring for children who are at home, their work set-up is not ideal, they have limited internet bandwidth, etc. As leaders, we need to understand the challenges our employees are having and allow flexibility in how their work is completed. One positive outcome from working remote has definitely been the acceleration of our digital capabilities — I haven’t printed anything in a year.” – Perry Liu, Chief Audit Executive at CSAA Insurance Group
“We’re rolling out a philosophical shift in internal audit, moving from mostly backward-looking assurance testing to a more forward-looking orientation to truly be risk managers. We’re calling it embedded assurance, where we’re embedded with the team, but the team owns the outcome — we’re here to help them get to the right outcome first instead of just coming in after the fact to say they got it wrong.” – Jim Campbell, Director, Global Internal Audit at Franklin Templeton
“There are some key areas where we are seeing internal audit add tremendous value. The biggest area is the expansion of analytics. Companies should consider turning to data analytics as part of their strategy for providing meaningful insights. We are also seeing a lot of companies where internal audit is initiating culture and employee productivity assessments — partnering with HR and the broader C-suite to learn how effective people are in this remote environment. Obviously Cybersecurity is an area of heightened risk, and internal audit is adding value by performing independent assessments of InfoSec capabilities, cyber maturity, and endpoint security. All these are crucial areas where internal audit can step in to add value to the organization.” – Kajal Shah, Audit & Assurance Partner at Deloitte & Touche LLP
“Every company is being asked to do more with the same resources. To help streamline our processes and gain efficiencies across SOX and internal audit, we are bringing in AuditBoard to help us deliver real-time updates, relevant and timely reporting, and overall assurance requiring less time.” – Erika Rodriguez, Senior Director of Internal Audit, Herbalife Nutrition
Increased Focus on Employing Data Analytics and Automation Technology
Overall, lockdowns have led to greater investment in digital capabilities to enable flexible remote working and promote productivity at home. The focus on efficiency has also paved the way for expanding data analytics and automation technology in audit and risk management processes. Audit leaders are thinking critically about ways to save time by utilizing data and analytical capabilities to their advantage, rather than falling back on surveys, agendas, and meetings. Ways audit, risk, and compliance leaders are adding value with data analytics and automation technology include:
- Driving the process of becoming a data-enabled function by adopting a true digital system of record that ensures the business has valid and accurate data to monitor risks.
- For those with existing data analytics technology at their fingertips, relying on dashboards for insights that can help inform risk action plans and priorities, rather than sending out assessment surveys to hundreds of people.
- When performing data analytics on a large amount of data during an audit, embedding insights/advisory recommendations that might be valuable back to that area of business in the audit report.
- Focusing on obtaining data in a more automated manner through integrations between various solutions (ERP, ERM, GRC) that allow for automatic updates to the risk assessment and other risk data.
- Building efficiency into the audit lifecycle by leveraging a cloud-based audit automation solution to streamline audit planning, fieldwork, issue remediation, and reporting processes.
- Adjusting risk assessment scoring based on input from the business and changing understanding of the business throughout the risk assessment process; bringing in ERM data to further enhance the assessment.
- Leveraging compliance technology to streamline the process of obtaining compliance certifications including SOC 2 and ISO 27001.
- Working with management to ensure they have the most efficient process in place prior to leveraging data analytics and RPA to automate controls and processes.
- Automating controls and processes with an agile environment in mind: logical access and user access reviews, building compliance reporting into the continuous auditing environment, etc.
“I’ve seen digitization prompting a lot of investment in the risk management planning process. Organizations often fall back on the old habit of sending out a survey to 200 people to gather the general sentiment about risk. Why use this time consuming method when we already have the data at our fingertips? Risk managers at organizations that have the analytical capability should take advantage of it! We should be able to pull up a dashboard and say “Do we have something flashing red that we need to take care of? Is there something trending from yellow to orange that we need to start paying attention to?” This is one area where we’re actively trying to change the mentality from managing risks through gut feelings to managing it through real data.” – George Chiu, Head of IT Audit at Applied Materials
“In terms of automation and continuous control monitoring — both for IT and business process controls — this is one area where we have seen companies spend a lot of time and resources, but also seeing a significant boost in savings and effectiveness. One of the most common challenges that we’ve been seeing is that if a process itself is not automated, then you can’t truly automate the control, but you may still have some benefits from automation of control alone e.g., timely identification and remediation of control issues. However, a leading practice would be to first work on process automation on the management side, and then on controls automation. Investing the time on the front end to set up continuous control monitoring that actually works can really pay off in increased time savings, accuracy, and effectiveness down the line.” – Ashok Parmar, Partner, Accounting and Reporting Advisory at Deloitte & Touche LLP
Addressing Culture Risk
For many employees, company culture has faltered in the shift to remote working without regular face-to-face interactions in the office. It is also harder to assess culture and performance in a remote environment. Many newly remote employees have not been as productive while working from home due to reasons ranging from childcare and household responsibilities to poor internet connection. However, remote work by necessity has also enabled organizations to push forward with digital capabilities. These are some of the ways risk leaders are addressing one of the biggest risks that came with lockdown:
- Understanding the people on your team — different stages of life have different needs — and adapting to their connectivity needs by tailoring checkin-ins, happy hours, breakout team games, standup meetings to fit what works best for the team as a whole.
- Partnering with HR to initiate employee productivity assessments to learn how effective people are in the remote environment.
- Performing a micro culture assessment during a single engagement to understand a distributed team better, learning from the results, then scaling and repeating the process throughout the workforce.
- Performing endpoint security assessments to assess maturity, as cybersecurity is a heightened risk with remote workforces.
- Postponing independent culture audits focused on the values and mission of the organization until workforces return to the office.
- Being mindful about distributed hires: how to thoughtfully onboard new people and welcome them into the organization’s culture in a remote-first environment.
- Looking to tone at the top — what works best for the organization’s model and customers — to continually evolve the remote working model.
- Considering second line hires with skillsets that are conducive to greater efficiency and productivity among first, second, and third line teams that work closely together; for example, a second line hire experienced in the coding language used by the engineering/dev team they will be working with.
We were scheduled to do a culture audit last year, but decided to postpone it because we felt there would be too much focus on COVID and working from home. I’m sure it’s different for every organization, but COVID has definitely impacted our culture. Volunteerism is a big part of our culture and we have not been able to do that during the pandemic. As we plan our return to office, I think about what working in the office will be — we all miss the hallway conversations and chats at the water cooler and you can’t help but wonder will it be the same if we are required to have social distancing? Are we going to be all spaced out in a conference room together? Many of us have been using dual screens for video conferencing and it will be an adjustment if we only have our laptops. Are we going to be wearing masks — and if that’s the case, I may prefer to continue working remote. As part of our risk assessment, we will determine the appropriate time to re-visit the culture audit to assess our culture against our core beliefs. – Perry Liu, Chief Audit Executive at CSAA Insurance Group
“As head of audit, one thing I’ve kept top of mind especially since going remote is to know your audience. Every team has a mix of different personalities and people at different stages in life — their needs are different as well. It’s about factoring that understanding into the ways we interact whether it’s video on vs off, or deciding to offer breakouts, games, or keeping it light on the activities — making sure we’re meeting people where they’re at.” – Laura Toubin, Vice President, Internal Audit at Envista Holdings Corporation
“One shift I’ve made is to stop using the term ‘culture audit’ and instead call what we’re doing a culture assessment. How do you audit something as squishy as culture? A culture assessment has resonated better with me and with my stakeholders. We’re starting on a micro-level with one particular engagement related to the distributed workforce, where we have people from multiple countries working on one team. We’re feeling our way in this first engagement, and then we’re going to scale and repeat these culture assessments going forward to make sure business activities, incentives, and people are aligned with the organization’s values.” – Jim Campbell, Director, Global Internal Audit at Franklin Templeton
Across the board, risk leaders have stated that flexibility in the context of different stakeholders’ expectations and needs has been a key to success, in addition to striving to incorporate efficiency into their audit plans and testing programs. While these priorities and areas of focus will continue to evolve as employees return to the office, what will endure is the push to build greater collaboration between the three lines as well as investment in enhanced digital capabilities and integrations to improve the quality, timeliness, and value of risk data.