Curious about what forward-thinking audit leaders expect from technology, remote work, travel, and more in the months and years to come? In this episode of AuditTalk, AuditBoard clients spanning industries and regions come together to discuss predictions for the next decade of internal audit.
AuditBoard’s Jason Sechrist sat down with Laura Ganann (Sr. Director, Global Audit Solutions, Walmart), Doug Sasso (Head of Global Audit, EPAM Systems), and Angie Negron-Nieves (Director of Internal Audit / Risk & Controls, Party City Holdings Inc.) for a robust discussion about their plans to respond to increasing complexity across the business, build relationships with key stakeholders, and leverage technology to further add value to their organizations — today and in the future. Watch the full conversation, and read the can’t-miss highlights below.
As we look to the coming decade, we expect more change and uncertainty. How do you adapt to changing business conditions and remain a trusted advisor?
Doug Sasso, EPAM Systems: The way we coach our team members, both our internal team and the folks from our partner, is to focus on today’s delivery of quality audit services. Give good audit insights through the work that we do, and that naturally leads to the next opportunity, the next initiative that we’re informed of and ask for help on.
Angie Negron-Nieves, Party City: It’s important to build confidence and relationships with key stakeholders. You’re not going to have a seat at the table if you haven’t proven yourself to create value. It’s keeping abreast of issues that could arise, having the ability to look at issues through a risk lens that management may not necessarily have, and being able to leverage your historical knowledge toward other creative solutions.
Laura Ganann, Walmart: We were one of the essential businesses that remained open, and when we were dealing with the throes of COVID… there was a lot of what we were calling “pop-up” processes as the business tried to adjust quickly. Having good relationships with the business and having established value before this time really helped us because we didn’t slow down at all. People were saying, “hey, we had to do this really fast. Can you come and make sure that we put the right controls in place?” We got a lot of new business as an audit team for that. On the other side of the coin, we also had people saying, “can you come look at old processes and make sure those are still going well, because we don’t lose sight of those?” The last months have really been about getting in and doing those quick audits to give everybody comfort.
How have you had to adjust priorities in this dynamic environment, and how do you see that shaping your group going forward?
Doug Sasso: We’ve always had what I call a dynamic approach to our audit plan. We’ll set an annual audit plan, but we have a relationship with the audit committee where they support our ability to recognize a shift in priorities, initiatives, or risk across the business, and our need to adjust our audit plan accordingly. Usually that comes in the form of adding to our audit plan, but this year there were a few things that no longer made sense because the risk changed. In the Q2 timeframe, when everything shifted to a work from home environment, we put a slight pause to our operational audit plan. We then accelerated some initiatives around digital enablement for our internal audit team that were part of our three year strategy. The timing worked out well, and slowing our interaction with other stakeholders was important to allow them to dedicate time to making the shift in the risk environment. So, we had a typical year in that we adjusted our audit plan, but atypical in the sense that the reasons for it were totally unforeseen.
Laura Ganann: We had a period where we said, everybody’s kind of in crisis mode, let’s talk with our customers and figure out where we need to back off. One of the first things that we did was to offer ourselves up and said, “look, internal audit can come and help you.” We evaluated conflicts of interest — we didn’t want to create any of those, of course — but we knew that they needed help, and we wanted to offer it no matter what. It also helped us stay connected with them — to look at what everybody was doing and apply that risk lens. We even ended up writing a couple of memos when we saw that things were headed down a path that wasn’t great. So just being boots on the ground was really helpful because we had a valuable perspective to offer and we got some goodwill at the same time because people really appreciated that we came in a crisis and worked with them.
In the next decade, travel is not going to look the same. How are you approaching reductions in travel, and what lessons have you learned this year that you’ll apply going forward?
Laura Ganann: I don’t think we’re going to take travel off the menu. I don’t think that you can replace the value of an in-person interaction sometimes — but this year has forced us to evaluate what we can do without that extra time and expense. Normally a big part of our audit plan is getting out to the stores. We’ve evaluated those audit programs and thought, “OK, what can we audit with the security cameras? Is there footage that we can look at from the home office and evaluate how a process is working out in the stores without actually traveling there?”
We’ve also gained some efficiencies where we had to think about how we can partner with the different lines of defense. Can one person go on-site and then provide insights to the other lines of defense? Can we rely on our compliance continuous monitoring team as they’re out in the stores to take pictures and gather evidence for us? Can they rely on us? So it’s not just about less travel, but if someone’s going, how can you leverage that differently?
Doug Sasso: Our operational audit plan includes some site visits that typically were done in person pre-COVID. Obviously, we took that off for this year, and we tried to do as much as possible remotely without losing the deterrent effect of having that internal audit watchful eye can have on controls operating appropriately throughout the organization. We found that we were able to execute about 90 to 95% remotely — though not the same level of value that we would get if we were physically there. I do see travel picking back up for our operational audit plan for the same reasons that it was there previously, but I also think we’ve been very conscious of the ability to do things remotely — and that might change the way that we do some of our work in the future.
Angie Negron-Nieves: There’s so much value to being on the ground. Sitting down with key stakeholders that you’ve only spoken to over the phone is invaluable because when you come back home, they have the ability to pick up the phone to ask you questions and make sure that they’re partnering with you — leveraging other parts of the business and making that bridge, that’s value you’re creating. I think having that travel aspect can’t be replaced, but there are also other ways that you can identify change in the organization and keep abreast of it. Making sure that you have a seat at a steering committee or at a management discussion, it’s critical that you already have those established relationships because they’ll be able to pull you in as a trusted advisor.
What has your digital transformation journey been like, and how do you see yourself setting up to adopt new technologies in the coming decade?
Laura Ganann: I think that internal audit faces challenges when it comes to really diving into technology the way that we would want to. It can’t just be one or two people that know how to do analytics within your group. Everybody needs to know the basics of Power BI or Alteryx or Tableau, etc — otherwise that creates a bottleneck or a limited capability within your team. We’ve been working on bringing everybody’s skill level up, and we’re playing around with some new technologies. We’re doing some natural language processing where we input our findings to see if it generates themes that we can bring back to the business or start focusing on in our audit plan. It actually generated some pretty interesting things that we just took to a pretty important committee to say “here are the things recorded in the last 12 months that are preventing you from being able to achieve your objectives. Some of this may not even explicitly come out in our audit reports, but we’re going to make sure that we’re focusing on them as we go audit next year.” So, I think technology use can take a lot of different forms, you just have to have a little bit of creativity and the right skill sets.
Doug Sasso: Sometimes it’s not practical to hire the skill sets that you need to complement the team, so we see the future involving being creative to achieve that strategy. For us, it’s about encouraging our team members to be able to think of the concept and then be creative in how we accomplish it. Maybe it’s making a phone call to somebody who has that skill set, or sourcing with another firm if we don’t have that skill set internally. We do this in other areas as well, leveraging resources and skill sets that exist in your company, just not within the internal audit function.
Angie Negron-Nieves: I don’t think the future is going to be putting people in a box where you do business processes, while someone else deals with IT. IT is going to be a discipline that you’re going to need across the board, because now when we look at business processes, there’s always an IT angle to it — you’ll be surprised how integrated it is. It’s critically important to make sure that the folks coming in have the ability to understand systems, technologies, and dependencies because that’s fundamental on the business side as well.
What are some of your main goals for internal audit, and how are you aligning those team goals with the organization’s larger strategic objectives?
Doug Sasso: To continue to provide the kind of value that we would expect of ourselves in the future, it’s going to involve all the things that we’ve talked about today. Building those relationships, being seen as a trusted advisor, getting a seat at the table to be able to deliver on those initiatives. Part of our goal is to define our strategic plan and get that buy-in both from our executive leadership team and the folks under them by delivering good quality services. That’s what we focus on today, and I think it’s going to be critical to us achieving that goal in the future.
Angie Negron-Nieves: I think it’s always important to communicate what your vision is. Our core value is creating value to our customers — but we have both external customers and internal customers. It’s key for our group that we make sure we’re giving value to our internal customers, whether that’s management or another stakeholder. Also getting that seat at the table and adding values in other areas — looking to explore some operational audits, or potentially integrating and launching an enterprise risk assessment and a program as well. Sharing that vision and how we can add value — I think it’s really important.
Laura Ganann: One thing that we’ve focused on heavily and will continue to focus on is the concept of helping the business more with remediation. I think it’s easy for auditors to kind of get into the habit saying “OK, we found something. Here it is. Please submit your management action plan and we’ll record that.” We don’t get in the room with them and help figure out how they can solve this problem. We’re solving really hard problems today, and it helps when audit is part of the process to make sure that they solve it in a way that addresses root cause and is sustainable. Because of our role, it’s one of the best ways that we can help the business achieve their objectives. When they can say audit really partnered on this, they didn’t just come in and point out all of our problems and leave — it wins audit a lot of points.
Stay tuned for more AuditTalk video interviews with audit community leaders about industry issues, insights, and experiences!
Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.