A NEW ORDER: THE KEY SKILLSETS NECESSARY TO THRIVE AS … Paper... · 2019-04-23 · a new order: the key skillsets necessary to thrive as head of internal audit today 2 table of

A NEW ORDER: THE KEY SKILLSETS NECESSARY TO THRIVE AS HEAD OF INTERNAL AUDIT TODAY

The views and opinions expressed in this paper are those of the authors and do not necessarily reflect the official policy or position of Thomson Reuters.

An IIA-SAC-Thomson Reuters Roundtable Discussion in Singapore

By Katherine D’Arcy

A NEW ORDER: THE KEY SKILLSETS NECESSARY TO THRIVE AS HEAD OF INTERNAL AUDIT TODAY 2

TABLE OF CONTENTS

CHANGES IN BUSINESS ENVIRONMENT 3

SKILLSETS THAT A HEAD OF INTERNAL AUDIT 4

SUMMARY TAKEAWAYS 7

DEFINITIONS AND ACRONYMS EXPLAINED 8

KEY SKILLSETS REQUIRED TO THRIVE AS HEAD OF INTERNAL AUDIT 9

REFERENCES 10


The International Professional Practices Framework (IPPF), which is the global accreditation and standards program produced by the Institute of Internal Auditors, is currently undergoing revisions. When it is released later this year, it will include a mission statement for internal auditing that is expected to emphasize the fact that internal auditing should enhance and protect organizational value.1 But what skillsets will be needed by the leader of the internal audit team to ensure success?

Internal audit has long been considered one of the four pillars of corporate governance, but the Head of Internal Audit’s role has changed from that of super-accountant with a focus on internal controls, to one requiring an advanced understanding of organizational psychology, forensics and big data analytics. Moving from cop to counselor, and from reporting to the CFO to Chair of the Audit Committee of the Board, the Head of Internal Audit – particularly in large organizations2 – is now often engaged with the first line of defense on important issues, rather than waiting for issues to bubble up in their role as the third line of defense.

This change in focus is filtering down into the broader internal audit team. A recent survey by The IIA’s Audit Executive Center highlighted the change, reporting that audit executives are increasingly seeking job applicants with skills in analytical/critical thinking, data mining, business acumen and IT, rather than accountancy.3

When trying to evaluate the key skillsets that a Chief Audit Officer or Head of Internal Audit needs, the scope of the organization will matter. The requirements of a large multinational, operating in multiple regulatory environments and with different lines of business, will be more complex than a company with one line of business in a single country. Business sectors are also a factor. For example, global financial services organizations attract more regulation. The style of business will also have a bearing – for example how much is online? In the digital world all access points are vulnerable, as is the massive amount of data being stored and processed. If the company is public or using capital markets to raise funds, there are further risks – not only reputational.

CHANGES IN BUSINESS ENVIRONMENT

Several factors are contributing to the seismic changes that the internal audit discipline is undergoing at the moment, and driving the need for new skillsets for Heads of Internal Audit. Below is a selection of these factors, with comments from Heads of Internal Audit on the impact that they are having.

Increased Connectivity and Risks“Corporate boundaries are getting very blurred. Businesses are no longer stand-alone entities; they are reliant on each other. There are businesses that are

your competitors and your suppliers. The supply chain is hugely important and something internal auditors must look at.”

“Even the term ‘internal audit’ has changed so much—30% of what we do is not internal. You outsource a lot of things; you pass things to other parties.”

Increased connectivity is adding new complexities to the business environment. It has blurred the lines between suppliers, agents, manufacturers, clients and staff and has increased the level of third party risk that an internal auditor has to monitor. This includes sanctions, organized crime, fraud, money laundering, bribery, terrorism and country risk. Failure to ensure that processes around third party risk are robust could mean regulatory fines and censure, as well as often severe reputational damage and financial loss.

Increased connectivity has created another new challenge – cyber risk. The massive amounts of data that are kept

electronically mean that more safeguards are necessary, often at multiple access points. External threats are evolving every day, added to which huge volumes of historical data will need to be mined to identify risk and potential fraud.

“Based on our education, we are not really ready to handle cyber security risk.”

Cyber risk has come into being very rapidly, and internal audit teams can struggle with understanding an appropriate way to engage in this area for their organization. In January 2015, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released “COSO in the Cyber Age” in which it noted that in 1992 there were only 14 million internet users. Today there are three billion. The article focuses on the questions companies should ask internally about cyber risk. They include such things as identifying where critical assets reside, having the right talent and incentivizing openness and collaboration across functions and operations, as well as with external partners, vendors, regulators and law enforcement.

More Regulatory ConsiderationsIn a 2014 Thomson Reuters survey on the Cost of Compliance, compliance officers cited 14 new areas of regulation that would require more monitoring and control4. These ranged from

international anti-money laundering (AML) regulations and Basel III (international) to Dodd-Frank (US and international) and Consumer Financial Protection Bureau regulations (US).


Respondents in the 2015 Survey said that they were worried about 21 specific items for 20165. Among these were: Basel III (international); the Data Protection Directive (Europe); Dodd-Frank (US); the Foreign Corrupt Practices Act (US); the Sarbanes-Oxley Act (US); and the Volcker Rule (US).

While some of these apply to the financial services industry, many are further reaching. Unfortunately, while compliance officers typically spend around 10 hours a week reviewing new regulations, most spend little time working with internal audit about related assurance measures. Although the amount of time compliance consults with internal audit has been growing, in most cases it still only amounts to less than an hour a week.6 And surveys show that while compliance departments are expanding, internal audit departments remain relatively flat. As a result, internal audit teams often struggle to get the necessary traction to properly engage with the impact of new regulations on their organization.

Consumers and Shareholders Also Demand More Transparency

In recent years, not only regulators but shareholders, consumers and even suppliers are demanding to know more about a company’s

practices and governance. Consumers may boycott products and services based on unfair labor practices, ill-treatment of animals or environmental issues. Shareholders may feel the Board is not taking on enough risk to produce appropriate returns. In some cases, shareholders have tried to change Boards that have clung to traditions or management preferences no longer believed to meet the best standards of governance – such as a single person serving as Chairman and CEO. Internal audit teams must understand and be prepared to advise on good governance.

Increasingly Global Operations may Include Emerging Markets

Expansion into emerging markets brings new risks and volatility: political, economic and legal. In addition to the risk of nationalization, there may be

currency and foreign exchange issues, labor market issues, lack of real-time uncensored information, no rule of law, no court system and increased pressure for illegal payments or kickbacks. (For more details about business risks by country see The World Bank’s Annual Ease of Doing Business Index.7) Internal audit teams must be able to work across these varying landscapes, understanding cultural, social and business differences, and the impact they could have on the organization.

Recent Financial and Political Disruptions and VolatilityMany lessons have been learned since the 2008 Global Financial Crisis. In particular, the crisis highlighted how easy it was for conduct risk issues to turn into conflagrations that could threaten

international financial stability. Off-balance sheet structures; interconnectivity of investment products and organizations; enterprises of a size and reach that their failure ensured a domino effect of failures; unsuitable home loans; unrealistic ratings from agencies; high leverage; long-term artificially low interest rates; and misaligned rewards did not, at their origin, seem like they would cause the significant, damaging risks that they eventually did. Internal audit teams need to be able to better identify emerging risks at the point of origin in their organizations.

Codifying and protecting against risk and its potential impact to the company from the shifting geopolitical fault lines have, in many cases, fallen to the internal audit function.

SKILLSETS THAT A HEAD OF INTERNAL AUDIT NEEDS TODAY

So just what are the new skillsets that a leader of an internal audit team needs today to drive success, not just for his role and function, but for the organization as a whole? Overall, it is a very different set of skills to that which was required a decade ago:

A Thorough Understanding of the (New) Basic Requirements

Today’s Chief Audit Executive, or Head of Internal Audit, does not necessarily have an accounting undergraduate degree. He or she may have basic undergraduate education in many different

subjects, including humanities and arts – sometimes this broader knowledge base is actually preferred. Instead of an undergraduate degree in accounting, he or she may have an MBA and will typically attain an accounting or financial

analysis credential (CPA, CGMA, CFA, CMA), possibly a specialized credential demonstrating technical auditing knowledge (such as CISA, CTA or CBA) and be a member of one or more professional associations (See Box Some Definitions and Acronyms Explained).

The CIA credential is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field. It is highly respected and requires ongoing professional development education. Often, companies will want the internal auditor to be licensed in the jurisdictions in which the company operates.


Critical Thinking and the Ability to Continue LearningHeads of Internal Audit talk about the need to be able to adapt, grow and change. These are core skills they need to survive and thrive in their roles today. Some of this need to embrace change comes from the way in

which organizations are changing the way they manage risk.

“The discussion these days is more around procedural preferences. Do we do it like this; do we do it like that? How does that change the risk profile? Do we want to take that risk or not? Topics are not all black and white: there is a space for grey and that’s where it gets interesting.”

Some of the need to embrace change is because organizations are looking at what risk is in new ways. The advent of concepts such as conduct risk, and risk culture, has provided significant new ground to explore. Many Heads of Internal Audit feel that industrial and organizational psychology and management training would benefit their work.

“Everybody looks at me and says, ‘what does psychology have to do with internal audit?’ I think it has everything to do with it…When the Chairman comes to me and asks me about the company’s social media-related risk, I am better equipped to respond.”

So much of a Head of Internal Audit’s role is focused on relationships with other stakeholders within the organization that an understanding of psychology would seem to offer a logical, if not absolutely necessary, benefit. The decisions that internal audit makes in designing the assurance process or structuring consulting assignments need to include an understanding of group dynamics, organizational political pressures, and in many cases individual psychology. Some professions have used psychological testing for years to understand how staff may react to high-stress situations, such as roles in the military, as securities traders or flight controllers.

Another part of this learning is about finding new sources of information within organizations. For example, many chief audit executives’ corporate whistleblowing policies are adding another reporting dimension.

“We cannot get the full picture with the analytics available to us and to spend a vast amount for a small risk or value at risk doesn’t make sense. Whistleblowing means we can unravel what is happening fast. It is a key control.”

Often, whistleblowing by employees has identified risks that had not previously been considered.

Deep Industry Experience and Corporate Knowledge“We have to be part of the solution for the organization, for the overall risk management function…we have to have someone with the background and experience, the knowledge, the

ability to be a critical thinker, to understand the organization’s goals and strategies and how those all fit together. That typically requires someone with a vast skill base, and not someone who is entirely focused on one vertical. You can’t expect someone focused solely on the accuracy of the financials or on fraud to have overall perspective on how the work environment fits with organizational goals and strategy.”

Increasingly, many types of risk are not revealed in financial statements. Take the following example. An airline CEO asked his Chief Audit Executive to create controls for a process to determine the airworthiness of planes with recorded technical problems. The Chief Engineering Officer reported to the CEO and the concern was that the CEO’s wish to keep planes loaded and in the air might bias the engineer’s decision. The airline wanted a process that would include objective tests plus expert judgment as to the planes’ safety before they were allowed to fly again.

But the issue is not just about designing and implementing control systems that organizations will follow, and testing them. It also requires analyzing any potential risks the new controls might occasion.

For example, airlines post 9/11 decided that it would be safer to have the cockpit door locked during flight. Did anyone consider the possible dangers such a move might cause prior to Germanwings Flight 9525?

The COSO study highlights the fact that while companies should be alert to a broad range of cyber attacks8, some may be industry-specific. This requires more detailed knowledge of the business and its assets – for example the next season’s designs for a fashion house; geophysical data for an oil and gas exploration company; or drug test data for a pharmaceutical firm.

“It’s related to the state of the development of maturity of your organization. Once you have a solid first line of defense, in terms of your financial and operational governance, policies and management, then you want to shore up the second line of defense and help facilitate the ERM (Enterprise Risk Management) which a lot of companies have implemented. The third thing is to implement controls around self-assessment for risk management.”

In the past, internal audit focused on operations that were seen as directly linked to revenue, expense or tangible assets. More recently, attention has turned to the softer side of the organization: marketing and public relations,


investor relations, corporate planning and development, and intellectual property.

The crown jewels to be guarded are no longer as simple as the recipe for Coca Cola. Reputation matters. Stock price matters. A merger with the wrong partner matters. And along with many of the other internal watchdogs, internal audit is supposed to act as an internal consultant to prevent things going wrong. Identifying the assets, the risks and how to protect against them requires vigilance and creative thinking.

Leadership and the Ability to ‘Belong’ in the C-Suite“An internal auditor needs to know something about everything, and everything about something. On his team, he tries to ensure that the members become subject-matter experts in

governance, risk management and internal controls. That is our goal. I try to ensure they have business acumen, and that they are able to understand what is happening around them, and not just from an internal audit perspective. It’s a lot to ask for, but when you find it, you try and develop a leader. We are talking about the ability to influence your environment…internal audit leadership, how to foster, promote and create leaders that can lead from an internal audit position. That’s new, but that’s where we are.”

To develop leaders, experts advise: motivate with respect, opportunity, education and, when earned, trusted advisor status. Encourage candidates to develop business operational knowhow as well as broad and deep internal audit experience. Grow the leadership skills with increasing levels of responsibility both in operations and in audit.

Ideally, senior staff in audit would have some major operational experience, possibly even having moved back and forth in their careers from audit to operational roles. The deep level of industry understanding that operational experience brings can be a tremendous advantage and is a quality that promotes substantial credibility with other C-suite executives.

However, once a senior staff member has committed to pursuing internal audit as a long-term career, the general consensus is that he or she should remain based in audit. Audit leaders know that they then need to be able to sit at the table with the rest of the members of the C-suite; to be able to command respect; be able to contribute to strategic discussions; and be perceived to drive value for their organization through the activities of their teams.

A Firm Grasp of the Importance of Internal Teamwork and Partnering

Teamwork has become increasingly important as various control and monitor functions overlap. Partnering with colleagues in both the control and operations

functions also helps raise issues and allows the audit function to design assurance protocols. Some studies have explored why internal auditors change positions, suggesting that they are often seen as outsiders in their organizations. This is because they must maintain a degree of objectivity. At times they may be recommending actions that the CEO or other executives may not welcome. While this is healthy, the responsibility for keeping the organization safe and performing effectively is not internal audit’s alone. There are benefits to including internal audit in projects, for example, where a new initiative is being contemplated, or where a new regulation will require compliance, whilst remembering that independence must be maintained.

“The buck stops with the CAE and if there is a dispute, the CAE has to make a decision. If in the back of his mind he thinks he wants to go into operations, he may not want to burn bridges. It may be a struggle and he may not make a good decision.”

The Ability to View the Organization with External HolismAs shareholders have become more litigious, Boards and executive corporate management have sought comfort in corporate risk assessment and controls, as well as

governance, while reaching for higher performance. At the same time an increasing amount of regulation, particularly in Globally Systemically Important Financial Institutions (G-SIFIs), often overlapping and sometimes contradictory, has increased the job of internal auditors who must anticipate and design systems to provide assurance on control processes. In addition, as regulators move beyond the strict letter of the law to point a finger at companies on issues involving culture, conduct and IT security, the burden on compliance and internal audit to anticipate appropriate standards and tests has become a constantly moving target. Internal audit leaders estimate that the level of consulting as a percentage of their overall time has grown in recent years, moving from about 10-15% a decade ago to 30% in 2015.

Consulting typically requires more creative thinking than assurance work, and this may involve the acquisition of new expertise, either by the internal auditor or through subcontracting. It is important not only for compliance and legal, but for internal audit to forge relationships with regulators, subsidiaries, suppliers and major customers and to be able to anticipate changes affecting the business.


SUMMARY TAKEAWAYS

• Critical thinking and ongoing learning are an important part of the CAE responsibility. Business decisions are often procedural where there is no right or wrong, and often no precedent. The ability to navigate this environment depends on seeking creative solutions and applying learning from other disciplines. New knowledge and skillsets are important – from the ability to contribute meaningfully to corporate strategy and governance, to understanding cyber risk and organizational behavior. Companies looking to stay ahead of the curve will no longer focus on hiring executives with only accounting credentials for internal audit roles. The use of subcontractors who are experts in various disciplines will increase.

• The CAE will increasingly need deep industry and enterprise experience and specific company knowledge. The increasing number of credentials for financial services auditing suggests specialisms, but a paucity of classified search adverts for Heads of Internal Audit further suggests that many companies are growing senior internal audit leadership internally.

• The Heads of Internal Audit in large multinationals will increasingly have C-Suite status and will need to have, or acquire, the requisite leadership skills and training. Succession planners should look to develop these skills for high-flyers through a sequence of operational and internal audit positions with increasing responsibility. Experience of emerging markets will also be important.

• Governance and ERM should be a collective responsibility, while preserving internal audit’s independence. Increasingly, governance professionals recommend a holistic approach to corporate risk assessment and mitigation. A more effective corporate approach to evaluating threats, external in particular, will enlist the resources of risk, finance, IT and legal working jointly to view issues through multiple lenses. From both a cyber risk and regulatory perspective, a multi-disciplinary approach will provide more informed results.

• In addition, establishing ongoing dialogue with regulators, major suppliers and customers, as well as subsidiaries and affiliates, will assist internal audit’s ability to stay one step ahead of potential problems. In the connected world, other people’s problems can become one’s own. Regulators have moved beyond “comply or explain” to “comply and explain”, in the sense that following the rules may not be sufficient. Increasingly, they also expect safeguards, monitoring, training and a demonstrable tone from the top.


Definitions and Acronyms ExplainedACCA – The global body for professional accountants.

Internal Auditing – Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

CAE – Chief Audit Executive.

CIA – Certified Internal Auditor. The Certified Internal Auditor® (CIA®) designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field. The program was launched in 1973.

Since then, several additional certification specialties have been added to the list: QUIAL, Qualification in Internal Audit Leadership; CGAP, Certified Government Auditing Professional; CFSA, Certified Financial Services Auditor; CCSA, Certified Control in Self-Assessment; CRMA, Certified Risk Management Assurance.

CA – Chartered Accountant.

CFA – Chartered Financial Analyst.

CGA – Certified General Accountant.

CGMA – Chartered Global Management Accountant. The new global designation for CPAs working in business and government.

IIA – Institute of Internal Auditors.

AICPA – Association of Certified Public Accountants.

ISACA – Information Systems and Control Association.

ACFE – Association of Certified Fraud Examiners.

CMA – Certified Management Accountant.

CBA – Certified Bank Auditor.

CTA – Certified Trust Auditor.

CISA – Certified Information Systems Auditor. Awarded by ISACA, this internationally recognized credential signifies proficiency in information systems auditing, control and security.

CPA – Certified Public Accountant.

CPE – Continuing Professional Education. For CIAs this is 40 hours per calendar year and the certification will be withdrawn if this requirement is not met.

COSO – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations. (In addition to The IIA, COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA)) and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

CBOK – Common Body of Knowledge Resource Exchange. CBOK is the world’s largest ongoing study of the internal audit profession. Led by The IIARF (IIA Research Foundation) and supported by IIA institutes and chapters around the world, CBOK includes comprehensive studies of practitioners, senior management, audit committees, and Boards.


Key Skillsets Required to Thrive as Head of Internal AuditThomson Reuters Roundtable Friday, April 24, 2015, Singapore Participants

Ms Tan Suan Ee — Head, Internal Audit Unit, Ministry of Manpower

Mr Ho Juan Heng — Vice President, Resorts World Sentosa

Mr Chris Ong — Head, Internal Audit, Urban Redevelopment Authority

Ms Chua Chen Yun — Assistant Director, Internal Audit Department, Maritime & Port Authority of Singapore

Mr Sng Hock Seng — Director, Internal Audit Division, Civil Aviation Authority of Singapore

Ms Mak Chung Yee — Director—Governance, Risk & Internal Control, Mazars LLP

Professor Foo See Liang — Associate Professor (Practice), School of Accountancy, Singapore Management University

Mr Antonio Martinez — Vice President, Head of Internal Audit, DKSH Management Pte Ltd

Mr Keith Kawashima — Chief Audit Executive, Robert Half International

Mr Derrick Lim — Divisional Vice President, Internal Audit, Singapore Airlines Limited

Mr William Lim — Director Audit & Advisory Division, JTC Corporation

Mr Wong Hong Sun — Director, Group Internal Audit, Far East Organization

Mr Tan Toong Hiok (Ronnie) — Head of Group Internal Audit, Hong Leong Asia Ltd

Special Thanks for the support of the Singapore Accountancy Commission and the Institute of Internal Auditors Singapore.


References1 Sobel, Paul J, What Must Go Right? Internal auditors should pay as much attention to the upside of risk as they do to the downside. May 06, 2015 https://

iaonline.theiia.org/2015/what-must-go-right

2 IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control. January 2013

3 Richard Chambers, Five Classic Myths about Internal Auditing. June 20, 2012 https://iaonline.theiia.org/five-classic-myths-about-internal-auditing

4 Stacey English and Susannah Hammond, Cost of Compliance 2014, http://accelus.thomsonreuters.com/sites/default/files/GRC00814.pdf

5 Stacey English and Susannah Hammond, Cost of Compliance 2015, http://accelus.thomsonreuters.com/sites/default/files/GRC02332.pdf

6 Stacey English and Susannah Hammond, “Cost of Compliance 2015,” Thomson Reuters

7 http://data.worldbank.org/indicator/IC.BUS.EASE.XQ

8 Mary Galligan and Kelly Rau “COSO in the Cyber Age” Published by Deloitte and COSO, Committee of Sponsoring Organizations of the Treadway Commis-sion, January 2015. http://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf

• Nation-states and spies — Hostile foreign nations who seek intellectual property and trade secrets for military and competitive advantage. Those that seek to steal national security secrets or intellectual property.

• Organized criminals — Perpetrators that use sophisticated tools to steal money or private and sensitive information about an entity’s consumers (e.g., identity theft).

• Terrorists — Rogue groups or individuals who look to use the Internet to launch cyber attacks against critical infrastructure, including financial institutions.

• Hacktivists — Individuals or groups that want to make a social or political statement by stealing or publishing an organization’s sensitive information.

• Insiders — Trusted individuals inside the organization who sell or share the organization’s sensitive information


© 2016 Thomson Reuters GRC03078_APAC/1-16

RISK MANAGEMENT SOLUTIONS FROM THOMSON REUTERSRisk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services – an unrivaled combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks – and make smarter decisions that accelerate business performance.

For more information, contact your representativeor visit us online at risk.thomsonreuters.com

ABOUT SACEstablished in April 2013 as a statutory body of the Singapore government, the Singapore Accountancy Commission (SAC) is the lead agency in spearheading the development of the accountancy sector in Singapore.

The SAC’s Vision is for Singapore to be the Leading Global Accountancy Hub. This will be achieved through developing for Singapore a vibrant accountancy sector that enables the economy to grow, businesses to thrive and talent to flourish. In fulfilling this mission, the SAC seeks to uphold the values of being relevant, insightful, collaborative and advocative.

For more information, please refer to our website www.sac.gov.sg.

ABOUT IIA SINGAPOREThe Institute of Internal Auditors (IIA) Singapore is a professional organisation dedicated to the advancement and development of the internal audit profession. Established in 1976, members of IIA Singapore belong to a global community of more than 180,000 professionals in over 190 countries who share a common vision to advance their professional growth in internal auditing and add value in their organisations.

Our 2,300 members work in internal auditing, accounting, risk management, governance, compliance, internal control, information technology audit, education, and security.

For more information, please refer to our website www.iia.org.sg.

Documents

A NEW ORDER: THE KEY SKILLSETS NECESSARY TO THRIVE AS … Paper... · 2019-04-23 · a new order: the key skillsets necessary to thrive as head of internal audit today 2 table of