The Top 5 Themes from IIA’s 2010 General Audit Management Conference
Posted on April 1st, 2010 by Michael Evans »Permalink
If your internal auditors left you alone this week, they were probably at the Institute of Internal Auditors General Audit Management conference down in Orlando. IIA GAM, as it’s affectionately known by those in the business, is the premier conference for senior audit executives. While attendees were there to brush up on their skills and network with peers, Audit Trail wanted to check out what was on the mind of senior internal auditors. The conference was covered extensively on Twitter so if you want all of the play-by-play you can get it here or check out a few pictures from Audit Trail’s own roving reporters. In the meantime, here’s a summary of our key takeaways:
Theme #1: You Can’t Audit a Business You Don’t Understand
In the cutthroat world of chemical manufacturing there’s a saying that goes: “If you don’t understand a process, you can’t model it, and if you can’t model it you’re not going to be competitive.” Based on conversations at IIA GAM, the same concept applies to auditing. Speaker after speaker emphasized that auditing skills alone are no longer enough. To effectively audit a process auditors must also be experts in the process. To that end, companies talked about how they are making that happen – by hiring people from non-traditional backgrounds, implementing rotational “guest auditor” programs and sending their staff to get training in the business they are auditing. In addition to a better audit it also gets you a jump start on Theme #2…
Theme #2: To Get a Seat at the Table With Executive Management You Need to Add Value
Once you get to the top spot in your internal audit organization where do you go? With so many chief audit executives in the audience a lot of the focus was on raising the profile of internal audit, getting a seat at the table with executive management and turning internal audit into a trusted advisor. In a nutshell, those that had succeeded at this advised their peers to “add value” by saving business managers money or providing them with new insights into their business. Some ideas: go find a control that you can eliminate, go find some money that’s being wasted, use analytics to show managers metrics on their business they haven’t seen before, recommend a way a process can be simplified instead of adding new tasks on top of a process. In short, be an advisor to the business in addition to being an auditor. Save them time, money and resources and you’ll earn their respect. But beware of success, one exec joked that he knew he had a seat at the executive table when he got his salary cut along with the rest of the executive management team when the budget was cut.
Theme #3: Internal Audit Needs to Shift Focus From What Has Happened to What Will Happen
Finance organizations have waged a seemingly perpetual struggle to shift resources from the backwards-looking functions that add up the dollars and cents to forward-looking activities focused on helping a company grow. While urging internal auditors to become change agents themselves, several speakers highlighted how rapidly things were changing around them. Whether you look at how regulations are being enforced (e.g. FCPA), entirely new risks that have emerged in recent years (e.g. social media) or the changing ethics of employees themselves (15% of college students reported cheating in 1963 while 67% said they cheated in 2007), it’s clear that audit has new things to worry about. One practical tip for auditors came from Sandra Cartie, Chief Audit Executive at Bristol-Myers Squibb. To keep her hands on the pulse of the business she audits she has her staff conduct a formal interview of top execs twice a year. They don’t talk about audits in those interviews. Rather, they discuss how the business is changing…and how it might impact the role of internal audit.
Theme #4: Risk Is Top of Mind But Enterprise Risk Management Remains Challenging
There wasn’t a single presentation that didn’t talk about risk. But it’s clear that when it comes to “Enterprise Risk Management,” or ERM, audit organizations are struggling with how to address it. The heart of the issue seemed to be reconciling “Enterprise” with “Management”. By definition, ERM assumes you’re looking across all of the risks in your organization so you can prioritize and determine how best to manage them. But reviewing, analyzing and classifying every risk is no small task. It requires a lot of cross-functional participation – especially in a large organization. Those that had embarked on an ERM project had clearly devoted significant resources to it. And judging by the questions and hallway chatter a lot of audit execs are struggling with how to approach this…and whether, in fact, it’s even internal audit’s role to drive ERM. The conclusion seemed to be that audit has a role in establishing an ERM program. But once an ERM program is up and running it needs to be turned over and owned by a separate group. Still, resourcing the effort remains a challenge…which brings us to Theme #5.
Theme #5: To Reinvent Itself Internal Audit Must Redeploy Its Resources
So…if you’re an internal auditor and the CFO didn’t double your budget or staff this year how are you supposed to become an expert in your business, add value, address new risks and kick off an ERM project? Lawrence Harrington, VP or Internal Audit at Raytheon put it best in his opening keynote: “Most companies only have a limited amount of money they can spend on internal controls. So if you’re going to change, you’re going to have figure out how to redistribute resources.” Harrington’s recommendation was to use technology to automate as much as possible. Eliminate the repetitive testing by using continuous controls monitoring (CCM) and other technologies to free up resources so you can investigate and monitor emerging risks, he advised. Start to show executives the business value of that technology (see Theme #2) and, over time, your budget will grow along with your credibility in the organization.
Were you or your colleague at IIA GAM? Let us know how this compares to your key takeaways. If you didn’t make it to IIA GAM does this square with what you’re experiencing day in and day out? Comment below or tweet us at @approva to join the conversation.
April 16th, 2010 at 6:24 am
Definitly that increase the relation Finance and audit profession is the way to go for the near future and a CCM is a must nowdays.
April 29th, 2010 at 6:04 pm
That was a quality article,You discover interesting things each day.
June 14th, 2010 at 2:33 pm
[...] familiar to regular Audit Trail readers, there’s a good reason for that. We’ve been saying it over and over now for some time that for controls to be effective, stakeholders need to come together [...]