I always read the annual CEO, CFO, CAE, CIO reports from the Big 4 firms. They usually arrive in the first quarter of the year and are based on interviews carried out up to a year before. As a result, they are not usually as topical as they claim. But it is always interesting to compare these macro surveys and opinion pieces with your own direct experience. You typically see obvious areas of convergence and a few divergent ones. If the two perspectives are too far out, I tend to rely on personal experience and interactions with clients and business partners.
However, I read this year’s PWC report entitled ‘2011 – State of the internal audit profession study’. You can access it here
It is an interesting report with a subtitle of ‘scripting internal audit for a changed world’.
The authors refer to the impact on internal audit of the big 3 CEO drivers;
· Risk management
· Crisis prevention
· Cost efficiencies (doing more with less)
My personal experience in this post recession world is that CEOs care about those three issues, but are back to a primary focus on top line growth !
The big challenges for the Head of Internal Audit, VP Risk & Assurance, CAE (choose your title!) are reported as;
· Growth and acquisition
· Increasing regulation
· Emerging technologies
I can definitely identify with these! My own experience in the last 9 months has led me to Asia for two new client engagements with 3 more developing in China itself. In addition to these, I am having an increasingly common discussion with both Finance and Internal Audit departments about the impact of growth strategies in the developing economies (developing? These economies are putting the traditional markets in the shade!). Finance and Internal Audit/Assurance leaders are trying to come to terms with newly acquired or rapidly growing units in regions where they have little management insight into operations. Asia and Latin America particularly can be a challenge for an Internal Audit department largely located in Europe or North America. ‘How do we get good visibility and comfort on risk and control in these areas’ is the common discussion.
The regulation topic has seen a resurgence in the last year or so. The FCPA regulation out of the US was a bit of a slow burner to start with, but the number of investigations and settlements in 2010 (and continuing into 2011) tell the story that organisations are still not really prepared. To add insult to injury, we now have the UK Bribery Act coming into force in July, which in many ways has even more teeth than FCPA. And if you are not based in the UK, don’t relax. Just like FCPA, this one has long arms!! Even China has announced their own provisions. The big topic in anti-corruption compliance is not just about awareness, knowledge and preparedness but a frustration with costly, time consuming and seemingly bureaucratic compliance programs (or programmes if you are in the UK!). There has to be a better way to focus on the real risks rather than simply implement a ‘check box culture’ of training, self certification, reporting and whistle blowing. After all, these anti corruption regulations make it clear that ignorance is no excuse, so a mass of documented ‘procedure’ isn’t really a recipe for a good night’s sleep for the CEO and CFO. My team at Consider Solutions has done some excellent work in this area, but I am obliged not to allow this to go to their heads! My personal observation is that the dominant issue for business is now REPUTATION and mis-steps over preparedness for regulation are just one (very effective) way of exposing it’s fragility.
The PWC report states that some 70% of CEOs surveyed in a sister report are investing in technology to reduce costs and become more efficient, while 54% are investing in IT to enable growth through such initiatives such as mobility, social media and data analytics. The impact of emerging technologies could perhaps be better characterised by the term ‘changing behaviours’. Yes, the myriad of new devices, the ‘consumer-isation’ of technology, the march of social media, the dramatic shift brought about by the iPad (and other tablets) and the emergence of ‘cloud computing’ as both a ‘buzzword bonanza’ (SaaS, IaaS, PaaS, perhaps to some of you it’s even all just ‘aaS’) and a growing deployment model for systems that support our business processes, are all great technology shifts. But the most interesting element of them all is the change in attitudes and behaviours that accompany them. Just a few years ago, that fancy new smartphone you bought was ‘banned’ in the workplace, and you had specific devices ‘blessed’ by IT which you could use. The tsunami of devices which are just so easy to use is leading more and more firms to implement a BYOD policy ( a bit like ‘Bring your own bottle’ at a party but in this case you don’t end up with the dodgy Merlot from North Dakota). In a flashback to timesharing and outsourced hosting, the shift to cloud computing and the business friendly SaaS model is encouraging managers with revenue and growth targets to bypass conventional IT project cycles for the promise of immediate gratification in the cloud. These trends are accelerating the shift of the CIO from ‘guardian of the technology and data’ to a business service provider. All this poses massive challenges for those task with risk assurance.
At the more prosaic end of the technology spectrum, the report comments that ERP upgrades and implementations remain a key risk area for internal audit professionals, due to their complexity, the nature of financial processes they support and the continued separation between the business process specialists who define WHAT is needed and the IT specialists who define the HOW. There is an ocean of assumption between these two worlds and the report questions whether there should be more focus on ensuring the implemented processes and control environment genuinely reflect the performance needs and risks of the business. This is a major area of focus for a stream of our work.
The PWC report also touches on the CAE response. How does internal audit react? The report addresses skills, communication and relationship building and engaging internal and external partners. But I sense an even bigger shift. The dangers inherent in the classic demarcation of business, process and IT risk and control are becoming starkly clear. Just as in lines of business, in finance, procurement, sales and marketing, internal audit needs to develop new hybrid professionals who have a passion and thirst for knowledge in business strategy and execution, the relationships between processes and systems, vision for technology and an understanding of its application. They need to be as comfortable considering the social media impact of a business initiative as they are in assessing the risk and performance impact of business processes. The new hybrid will find it much easier to ‘earn their seat at the table’ across the organisation as they demonstrate the real value they can offer to both operations and assurance. The new hybrid will be better able to balance focus between risk and compliance assurance and recommendations to improve the efficiency and effectiveness of processes and controls. 66% of those surveyed by PWC reported that specialised technology expertise is a key requirement. The essence, however, is balance. Long live the new hybrid !
We have a lot of work to do in this changing business world. How do we compare to our peers, to our business realities and to our expectations for the next few years? It’s time to perform. . .
Lights, camera, action . . . .