Making Sense of Complex Change – Internal Audit and the Boardroom
Olivia F. Kirtley | President, International Federation of Accountants
Jul 20, 2016 | at IIA's 2016 International Conference | New York, New York | English
I’m delighted and honored to be here on the final day of your conference, and to be included as a keynote speaker in the company of such eminent and outstanding keynote speakers as former NY Mayor Rudy Gulliani and the former Australian Prime Minister, Julia Gillard.
Before I begin my remarks on Internal Audit and the Boardroom, I would first like to make a few comments as Chairman and President of the International Federation of Accountants (IFAC), and acknowledge the valuable, long-term relationship between IFAC and the IIA.
IFAC is the organization for the global accounting profession, comprised of 175 national professional accounting organizations in 130 countries. In addition to facilitating and supporting four international standard-setting boards for audit, ethics, education, and public sector accounting, IFAC supports the global accountancy profession with thought leadership, speaking out on public interest issues, and advocating for ways to enhance the effectiveness and impact of the profession in the public interest.
The IIA represents an important IFAC constituency and, shortly, my friend Richard Chambers—your global president and CEO—and I will sign a renewed MOU between our two organizations.
This MOU will formalize the continuing superb cooperation and collaboration between IFAC and The IIA.
It enables both organizations to continue to benefit from each other’s knowledge, experience, work, and advancement on many fronts.
We benefit greatly from the work that you do. And it helps us, together, advance many important issues in the public interest, including high-quality financial reporting, good governance, and strong risk management practices.
Thank you for all you do to contribute to the global impact and importance of our profession.
Over the last two days, the other keynote speakers have focused on quite broad issues—including the global economy and crisis leadership. There is certainly much to be said about these important topics in a world that is in desperate need of insights and leadership on many fronts.
But today, I want to bring it down to the level that is a bit more personal to you in your day-to-day activities—things that are directly in your control as you go about performing your job. I will focus specifically on your opportunity to impact the overall effectiveness of governance structures and corporate boards.
Throughout my career, I have very much been a proponent that everyone’s job, regardless of title or position within a company, is to help other people succeed.
I believe that should be the mindset of everyone in an organization, whether you are a seasoned leader or at the beginning of your career journey. If you think of your role in that way—to help everyone around you succeed—then I think you will view everything you do a little differently, and find it tremendously more rewarding.
Internal auditors, individually and as a group, are critical to the success of corporate directors in the boardroom. Our effectiveness in fulfilling our role of providing oversight and strategic advice for management is substantially dependent on your effectiveness.
Frankly, I do not know how I could have succeeded throughout my career—in the C-suite or in the boardroom—without internal audit’s independent and objective information.
But how you fulfill that role—how you communicate your findings, how you assess the organizational capabilities and effectiveness, how you evaluate current and emerging risks —all this really makes a difference not only in your effectiveness, but in how you can enable others to truly succeed.
I’d like to frame our discussion today with a quote from one of my favorite filmmakers— Stephen Spielberg.
You may ask: what does filmmaking have to do with internal audit? Well, filmmakers write their own stories. And we all have the opportunity to write our own stories—in our jobs and in our lives.
This quote is from a commencement address that he delivered at Harvard’s graduation just a few months ago—and his quote was this:
"Your conscience shouts,
'Here's what you should do,'
while your intuition whispers,
'Here's what you could do.'
Listen to that voice that tells you what you could do.
Nothing will define your character more than that."
And I would add: nothing will define your impact and success—and the success of those around you—more than that.
When you come to conferences like this one, you hear a lot about what you "should" do. You hear about experiences of others, best practices, tools, and techniques you might use.
But "should" is a passive view. "Could" is an active way of looking at the challenges and opportunities that you deal with on a daily basis.
So what could you do? How could you write your story differently to increase not only your success but to increase your impact on the success of all those around you?
Spielberg has more than 20 remarkable films to his credit – movies like Jaws, Jurassic Park, Indiana Jones and the Raiders of the Lost Ark, and Schindler’s List.
It was interesting for me to see that Stephen Spielberg was continuing one of his key themes from Schindler’s List—which was based on a true story—in his message to the Harvard graduating class. He was still focused this concept of what one “could” do. That story was about World War II. Some of you may remember that film, rated as one of the greatest of all time.
Oskar Schindler ran a factory with the help of his chief advisor and accountant, Itzhak Stern, which employed Jewish workers; he ultimately saved over 1,200 of them. At the end of the film there was a scene where Schindler received word that the war was over. His reaction was not one of celebration, but instead he said, quite emotionally:
“I could have done more. I could have got more out.”
So how does this translate into corporate governance and internal audit?
Oskar Schindler reflected on his failure to not save more people – that he could have done more if he had been more intentional, or less self-centered, or more focused - maybe this was fair, maybe not.
But in the corporate world, I have to wonder how many internal auditors and others have reflected on what more they could have done when they were associated with a corporate failure. Corporate failures destroy lives in their own way. All of us know plenty of examples, including many former household names: WorldCom, Enron and Tyco. And we all know there are many others that are not headlines.
That is where strong corporate governance comes in—and internal auditors have a crucial role to play in supporting the Board and the entire governance process. Your importance in this is not something to be taken lightly.
First, let’s define "corporate governance." It’s not just about board oversight. It’s a broader, holistic view of the systems, controls, risk, compliance, and oversight infrastructure throughout an entire organization.
Each year, there are surveys to identify the top issues that that keep boards and senior management awake at night. Currently, there are three issues at the top of that list that I would like to talk about. They are:
- Regulatory expectations
- And Human Capital.
Let’s start with cybersecurity.
Cybersecurity keeps moving higher on board and audit committee agendas, partly due to major data breaches, ransomware, state-sponsored external attacks and organized crime.
The proliferation of technology platforms and devices has caused an explosion in the amount of available data and information. And the value of data has increased exponentially—presenting a tempting target for many actors.
Every organization, in every sector, is a potential victim—no matter what kind of information it has.
I have heard it said that you can divide companies into two categories regarding data breaches and cybersecurity—those that have been hacked and those who don’t know they’ve been hacked. So while we might read in the news about some of the more high profile events— like recent issues at Target, Morgan Stanley, Deutsche Telekom, the Ukraine power grid, Hyatt, Twitter, or even the CEO of Facebook, Mark Zuckerberg, who had his social media accounts hacked—no one is immune and without issues.
One recent study reported 64% more security incidents in 2015 than in 2014. And another study said that the average cost of a single data breach has reached $4 million.
And data breaches and cybersecurity events do not just cost money. They can wreak havoc with computer systems… cause loss of data and intellectual property… prevent timely access to critical information, particularly in the health care industry…leak sensitive information to third parties or the media… damage investor confidence and customer loyalty… and severely harm a company’s reputation.
And although external attacks are often the focus of the media, internal threats posed by employees are certainly equally as dangerous.
A recent Harvard Business Review article estimated that at least 80 million insider attacks occur each year in the United States. And that number is likely much higher, as many internal attacks go unreported.
I recently participated on an Audit Committee Chair Advisory Council where there was wide consensus that “people risk” continues to be the greatest point of weakness, and one of the most costly sources of problems.
Often, these internal breaches are unintentional. An employee opens an email or an attachment with a virus… or clicks on a link and visits a website that infects the company’s network… or responds to ‘spear phishing,’ where an email appears to come from a legitimate business, bank, or credit card company, requesting verification of information and warning of dire consequences if it’s not provided.
A similar instance of malware was demonstrated just a few months ago at Bangladesh Bank. An official's computer was used by hackers to make payments via SWIFT, and carry out one of the biggest-ever cyber heists, stealing $81 million.
Internal auditors bring these cybersecurity issues to corporate boards on a frequent basis. Yet one study I read said that less than 1 in 3 organizations called themselves “very effective” at managing cybersecurity risk to an acceptable level.
Why is this and what role “could” internal audit play?
First, reflect on how you report your findings in your IT / cybersecurity audits. Do you simply report what the findings were—whether they were “satisfactory” or “needs improvement” — or do you also tell them why it matters?
In other words, does your reporting spell out what the consequences could be if these findings are not corrected and your view of the urgency of remediation?
As an example, we all know that inappropriate access, identification, and lack of updated and robust passwords is something you have been reporting on for years—in fact, so long that it has become expected in your report.
This ongoing issue should not be acceptable—particularly when research tells us that up to 80% of cybersecurity problems are not the result of attacks from outsiders, but from insiders.
However, until reporting is enhanced to include examples not only what you found but why it matters, the Board may not understand what could go wrong nor the magnitude of the potential issue.
You could greatly enhance your report by giving examples of how similar situations were likely part of the problem of recent data breaches in the news. What the findings are is certainly what you “should” report, but clearly detailing why it matters is of equal importance – and this is what you “could” do.
A second issue that keeps boards and senior management up at night is regulatory expectations and demands.
Today, businesses are faced with a complex and ever-changing array of regulations. And with the recent Brexit vote, more time and resources will be needed for many of us, as we analyze the implications and the impact, the potential changes in the regulatory structure, and how it impacts risk and audit plans.
Regulatory demands and increasing regulatory fragmentation makes everyone’s job more difficult—Boards, management and internal audit—but that is particularly true in the area of anti-bribery, fraud and corruption.
18 years ago, the OECD member states signed a convention to criminalize bribery of public officials. Since then, a growing number of governments—including the US, the UK, other European governments, and emerging economies such as China and Brazil—have passed anti-bribery and corruption laws.
Depending on your industry, you are required to comply with many regulations regarding fraud and corruption, including OFAC, anti-money laundering, FACTA, and more. We spend an enormous amount of time and resources on these compliance processes and controls. And a tremendous amount of time and resources understanding and staying up-to-date on the ever-changing regulations.
These are important investments. According to the World Economic Forum, the cost of corruption equals more than 5% of global GDP, or US$ 2.6 trillion. The World Bank estimates that the amount of bribes worldwide totals $1 trillion a year. The WEF further estimates that corruption increases the cost of doing business by an average of 10%. And, importantly, it diverts resources from people and places where they could do most good.
As part of the World Congress of Accountants held in Rome in late 2014—all those attending (6,000 of us) were invited to have an audience with His Holiness, Pope Francis, in his private auditorium.
He had a purpose for inviting us. Since being elected Pope, he was very focused on the impact of fraud and corruption on society and companies, which have the capacity to make lives better through a growing economy and employment.
Here I am introducing to him our profession’s leaders from around the world—a pretty incredible moment.
His Holiness said, when the economy is difficult (and I quote):
“There is a stronger temptation to defend one’s interest without concern for the common good, without paying much heed to justice and legality. For this reason everyone, especially those who practice a profession which deals with the proper functioning of a country’s economic life, is asked to play a positive, constructive role in performing their daily work."
His challenge to us, as a profession, was that we could do more.
Several months ago, I also had the privilege of speaking on behalf of the global accountancy profession at the OECD’s Ministerial Meeting on Anti-Bribery and Corruption. Attorneys General or Ministers of Justice from over 40 countries were gathered. You can see the U. S. Attorney General Loretta Lynch at the center of the front row (and me in the peanut gallery on the back row on the right!).
At this meeting, Transparency International stated—
- Only 1B of the world’s 7B live in a country without serious fraud and corruption
- Corruption costs $2.6T US$—5% of global GDP annually (remarkable!)
- And in IFAC’s own 2015 Global Small and Medium Practice Survey—over 50% reported that at least one client experienced financial crime—including bribery / corruption.
If you think this is not an issue for your company, you are very likely wrong—sort of like the companies that don't know they’ve been hacked.
Unfortunately, a recent survey showed that the substantial majority of internal auditors have no training on fraud beyond a very basic level.
As companies continue to expand internationally, this is an area that requires much more focus and much more training. Understanding local cultures and norms is essential to have the appropriate professional skepticism and knowledge.
The UK Financial Services Authority criticized compliance and internal audit functions several years ago, saying (and I quote): "compliance and internal audit staff generally completed no more than standard ﬁnancial crime training, so their knowledge was patchy considering their important roles."
This is a really big governance issue—particularly the risk of running afoul of bribery, anti-money laundering or Office of Foreign Assets Control regulations. These issues can bring a company into the sights of the regulators in ways that can halt growth and business as usual for very long and unpredictable periods of time.
This is among board members’ worst nightmares. It is also a huge reputational issue, on which Boards are extremely dependent on Internal Audit to be their eyes and ears in identifying potential vulnerabilities and weaknesses. And this is one area where materiality is not a consideration. All issues are considered equally bad by the regulators. The current environment is one of zero tolerance, so getting this right is critical.
This is an area where internal auditors “could” do so much more. By providing leadership in this area. By expanding the scope of what you do—particularly knowing that these issues are not judged by materiality. You could also do much more in the area of training and continuing education in certifications — individually and as a group.
Formally identifying high-risk third parties. Exercising your right-to-audit clauses. Using data analytics to identify potential shortfalls in monitoring and controls—these are all areas for potential enhancements that would assist Boards in their oversight responsibility.
A third issue that keeps boards of directors and senior management up at night is human capital—or talent.
This is an area where internal auditors can plan to take specific steps to build their importance and value with all of those involved in governance—both within the management governance structures and the Board of Directors.
For internal audit professionals to be seen as trusted advisers and strong contributors to the governance process, they must be viewed by all key stakeholders as having strong knowledge of the organization’s key business matters and risks.
You must be seen as able to provide advice and perspective on issues beyond merely providing assurance. Without deep knowledge of the business, internal audit will not earn the trust of the line managers and senior management, nor of Board members.
Possessing that strong knowledge is particularly challenging in today’s fast-paced, changing business environment. New subject matter areas and specialized knowledge are growing exponentially.
But your work can only be as good as your people and their knowledge. And that must be appropriately matched against the knowledge of those you are auditing and the emerging issues.
KPMG recently teamed with Forbes magazine to survey more than 400 audit committee chairs and CFOs regarding their perceptions of the value delivered by internal audit. One of the findings of the survey was that 55% of respondents indicated they want internal audit to do more to improve its knowledge and expertise to a point where it can match the sophistication of its audit targets. This level of knowledge and expertise is essential for key stakeholders— including those charged with governance—to view internal audit as providing valuable information regarding key issues and challenges.
And the evaluation of talent needs is not only for the internal audit staff. It is also for the business lines and control processes that you audit. This is an area where Boards particularly need insights.
Although many of you may view this outside the scope of what you traditionally do, let me tell you why I think internal audit should also evaluate the talent in business areas.
I recently heard a great talk by Malcolm Gladwell, the famous author of books such as The Tipping Point, Outliers, and Blink. I have had the privilege of hearing him speak twice over the past year, and each time was so impressed with his ability to frame difficult issues in memorable ways.
The first time I heard him, he talked about how we are moving from a world of solving puzzles to solving mysteries. That it was no longer good enough to look at existing information and figure out how it all fits together—or completing the puzzle—but that we were now being expected to look forward and find ways to use large bodies of data and information and move to solving mysteries. I think this is very analogous to the expectations of professionals today—including internal audit.
The second time I heard him speak, he talked about talent—and in particular what he called “weak link situations” and “strong link situations”. He illustrated his point by comparing basketball and soccer teams. He called basketball a “strong link sport” where you should pay up for the superstar player because one or two really strong players could take you to the championship win.
But soccer, he believes, is a weak link sport. It’s fundamentally collaborative. All 11 players on the team must understand their roles and make a contribution—even the ones that aren’t the most talented. Even one or two great players can’t move the ball downfield alone… and a mistake made by any team member is harder to overcome by the great players and disproportionately impacts the outcome. So you would do better to spread the pay across the team rather than relying on one or two star players, assuring that you have strong skills and talent throughout the team.
This is a great analogy for an optimal governance structure. The first line of defense is the staff in the business lines. The second line of defense is risk management and compliance. The third line of defense is internal audit. The first and second line are like the players on the field and the third line is like the goalie.
It shouldn’t be only a “star” goalie that is stopping the ball and protecting the goal. You have to have good players on the field.
As an internal auditor, you are the third line of defense, but you need to be concerned with the first and second lines too. If the people in the business lines and in risk management and compliance don’t have the right skills and talents—if the right people aren’t in those roles and there are weak links—there will be more balls getting through, which increases the risk profile. Goalies can only do so much.
The final talent issue is diversity – both within your internal audit teams and business line teams. This is critically important, particularly with the global nature of businesses today.
This is not just an equality issue, or a moral or social issue. It’s smart business. It’s essential to have diverse teams to match against the many issues and perspectives coming at companies today. Research has shown that more diverse teams have higher performance and more innovative approaches to opportunities and challenges.
Diversity and inclusion goes far beyond gender and race. It includes generational diversity. And cultural and demographic diversity. Embracing the full variety of opinions, views, and perspectives enables better decisions and greater progress on many fronts.
Talent is an issue where internal audit should and “could” do more.
One area where internal audit can contribute greatly to the governance process is in how you communicate, how you gather information, and how you ultimately tell your story. I think this will be a constant challenge and a work in progress for the rest of your professional careers.
As situations change, as the different people and personalities of the people you deal with change—within management and on the Board—you will need to be constantly adjusting and refining to determine what is most effective. This is definitely an area where “no one size or style fits all”, so asking and listening to various stakeholders about what works best to highlight and discuss critical issues will be an ongoing journey.
But you must begin, and be focused on that journey to truly be an effective internal auditor and for the outcome of all the hard work you do to have influence and help others succeed going forward.
According to the IIA’s 2016 North American Pulse of Internal Audit research, many internal auditors need to improve their interpersonal skills. Many respondents rated their average team member as only moderately proficient in most soft skills, with 49% rating their average team member as moderately proficient in organizing and expressing ideas clearly, and 9% rating the average team member as only slightly proficient at this skill. That means over half of the ratings were less than proficient in organizing and expressing ideas.
This definitely needs attention, assessment, training, and ongoing feedback to find ways to help everyone on your team improve.
For internal audit to support the governance structure of any organization, communication and telling your story in a way that influences action and appropriate follow up is essential. You will otherwise not have the impact necessary to help your Board and management succeed.
As an Audit Committee chair of several public companies, I have had the privilege of working with many Chief Audit Executives and their internal audit teams—ranging in size from 5 to 300. Some of the CAE’s have reported directly to me as the Audit Committee Chair, with a dotted line to the CEO. Together, we have worked hard to design reports to truly highlight and call out the most critical findings and messages—both positive and negative—for both the Audit Committee members and senior management.
One CAE and audit team, in particular, has continuously exceeded my expectations, and that is at US Bank. Although I am no longer the Audit Committee Chair there, since I have recently rotated to Chair the Risk Committee, it was so rewarding to see over the last two years how the reporting continued to get better and better every single quarter.
They developed succinct executive summaries, graphs, colored-coded charts, and many other visual aids to really communicate their findings and tell their story. And just when I would think they could not do it any better—they did! This was critical since their reports to the Audit Committee are normally close to 300 pages long after including all the items the financial regulators want the Audit Committee to receive, so not allowing the real story to get lost in that volume of paper was extremely important.
Since they embarked on this journey of improved reporting, the CAE, Mark Sparano, and his team have never been satisfied that there are not areas for improvement in both written and verbal communication. They decided that excellent reporting is a journey, not a destination. In fact, they are driven by the motto “better every day”.
And I will tell you, it has been noticed by the rest of the Board. Board committee counterparts are now challenged to try to meet the standard that has been set by Internal Audit in their reporting to the Audit Committee.
It can be done. And it is something that you not only should do—but it is what you “could” do —which would result in a much more effective job in telling your story and greatly aiding the governance process.
Let me close by saying that traditionally, internal audit controlled and safeguarded corporate assets, conducted regulatory compliance, and enforced corporate policies.
That is what you should do. - - - But there is so much more you could do.
You could build relationships and engage more across the organization—and outside it— with management… regulators… the audit committee… the risk committee… compliance… legal. You’ll gain information and knowledge that will help you better understand their perspectives and challenges.
You could move from only “calling balls and strikes”, to that of a trusted advisor by focusing on the future as well as the past.
You could inspire an even stronger, sustainable control culture that supports and enables a strong governance environment.
You could not only report your findings—you could explain why they matter, what the risks are, and the urgency of remediation.
High-quality information to management, the board, and its committees is the lifeblood of good governance.
I encourage you to start with a clean sheet of paper and think: What would you want to know if you were sitting on the other side of the table? If you were on the board?
And what reporting format could best convey that information?
By focusing on what you could do to help others do their jobs more effectively, you’ll be more valuable to your organization and help the individuals within it be successful.
And you must not only have good intentions, you must act intentionally—individually and as a team. And remember that:
Individually, we may be ordinarily people, but together we can achieve extraordinary things.
Or as Steven Spielberg said to graduates at Harvard:
"My job is to create a world that lasts two hours. Your job is to create a world that lasts forever. You are the future innovators, motivators, leaders and caretakers."
Thank you for having me here today—and I am glad to take questions.