Why we love internal audit

Edited transcript

Katie Landy: Hello and welcome to episode one of RSM's Material Observations, Insights on Internal Audit, where we explore what's happening in internal audit today. I'm your host, Katie Landy, Risk Consulting Principal at RSM. Today we'll be hearing from RSM thought leaders, Sophie Tomeo, RSM risk Consulting Director, and Shawn Dahl, Risk Consulting Principal at RSM on their passion for internal audit and how that continues to remain ignited. Let's get started. Hello and welcome to you both. Thanks for joining us.

Shawn Dahl: Great to be here. Thanks.

Sophie Tomeo: Thank you.

KL: Yeah, we're certainly excited to have you all here to uncover more about the fascinating world of internal audit and really understand what's the driving force behind it. And I think it's fair to say we all know what that is and that's the passion. So what better way to do that than diving deep into the hearts and the minds of our internal audit professionals like yourself and understanding what happens within your work to drive that passion? So I'm going to tee up my first question and when we think about internal audit to some it can be a niche profession. We think about it more from a numbers and a compliance perspective. So I often find myself trying to explain to others that may not be familiar with the role of internal audit, what does that mean. So I'd love to hear how you guys share what we do every day, maybe to others that don't work directly with internal audit.

ST: Sure. I'm happy to kick us off. I think at the most basic level, we help our clients decrease uncertainty and increase their confidence in their business. So we do that through evaluating priority enterprise risks. There's a wide range of those, so it means different things across different industries, different clients, but ultimately we're bringing together teams with acumen to provide relevant perspective on those risks and really give client stakeholders visibility into gaps in vulnerabilities in their business.

SD: Yeah. I think that's a really good start. For me, I've been involved with internal audit now for probably well over 30 years and spent some time in industry as well as the last 13 years or so here at RSM. And I would say every organization has a different take on internal audit and what it can bring. I've seen some organizations that are very compliance-focused in terms of they only want a certain level of service from internal audit in terms of being able to provide that compliance-oriented or financial controls-oriented work, whereas a lot of organizations really kind of want to take that next step up and have the internal audit provide sort of that value add look, certainly independent and objective. But really I think that the main purpose of internal audit when done well is really to help the organization achieve its objectives by assessing processes again in the basis of risk management and key risks as well as incorporating internal controls.

KL: That's a great answer, Shawn. And when I think about internal audit, even in the time that I've been in the role, it's fair to say there's been a wide transformation on how the function itself has been engaged by the business, the role it plays, and I think it's been really exciting to see how that's evolved over the years. So maybe Sophie, I'll start with you. With your tenure being an internal audit profession, describe to me some of the evolution that you've been involved in.

ST: Yeah, absolutely. There's been a lot. I think the risk environments are constantly evolving, and so we are constantly learning and innovating on how we need to best evaluate and address risks in a way that will continue to instill confidence in client stakeholders across the business. I spend a lot of time working with clients to upscale their digital literacy. We have so much data at our fingertips now that to be able to really move forward and drive insights from event log data, from transactions we're already in the weeds with which historically we may have just performed sample testing, we can now look at full populations, understand more trend analysis to think through the bottlenecks there.

Similarly, when I think about our cybersecurity counterparts that we plug into the internal audit world, that environment has completely changed since when I began, and the constant evolution of the tools that we're using of the types of risks that we're continuing to review in the cybersecurity space, looking at cyber threat intelligence, different things like that, there's just a continued transformation in how we show up with our clients and think through what that means to really innovate the profession together.

SD: And just to add to that, we all hear about the pace of change in business increasing more rapidly. Everything from... It's a much different business environment now than it was not just 20, or 30 years ago, but even two years ago or three years ago. And everybody's aware of Benford's law in terms of the pace of change more rapidly increasing. Well, as internal auditors, as professional internal auditors, it's key and incumbent upon us to make sure that we are at that forefront of change, that we understand our organization's strategy and the execution of that strategy, the key risks, some of the obstacles, some of the things that are kind of pressing against the organization in terms of being able to continue to achieve those objectives and really staying ahead of the game in terms of bringing our profession into those areas of review so that we're best positioned again to kind of provide that independent voice to organizations to help them maybe provide a different point of view sometimes.

Being outside of the functions that we're involved in auditing allows us to be a bit more objective. We're not as close to the operations and so forth. And so we are able to provide that high-level consideration that the business needs to consider to move forward.

KL: I've heard a few people use the analogy of moving from more of a defensive approach to an offensive approach, looking through the windshield rather than the rearview mirror. And I think everything you really describe, you both, really hits on that. Any stories that you'd like to share in terms of looking through that windshield, trying to anticipate what's to come, looking at those emerging trends where you've had a lot of success, and driving that value that can be delivered to the business?

SD: I'll go back a few years in terms of, for me, it's a memorable part of how internal audit can kind of bring that value to an organization. I was involved with an organization that had just acquired a major business in India, and I was there with a team of about four people on a two-month audit to really kind of go through the new acquisition or the new operations, manufacturing processes, sales marketing processes and kind of a whole holistic view of how the business was doing. And it really became apparent after that week as we kind of scoped the audit out and we began our fieldwork that that particular operation was really far behind the rest of the organization just in terms of manufacturing processes and so forth. And I just remember there's a time to do an internal audit and there's a time to maybe take that step back and say, "What's the best course of action for an organization to again kind of provide that value?"

And so we reached back to the chief audit exec and we said, "We've been here a week, we're at 100 issues at the moment, and in the next two months we expect to probably have about a 300-page audit report, which is absolutely not what this particular organization needs at the moment. They really need sort of basic help blocking and tackling and developing those initial processes that will help get them to the next level." So the good thing was a team that we had in place, again, professional internal auditors, was so well positioned that the chief audit exec called back and said, "Yes, you can stop the audit and the good news is you and your team are there for the next year to really kind of provide that basic blocking and tackling that you're recommending." So fabulous experience.

And the team really had an opportunity to kind of dig in and help the organization, again, with those basic business skills and getting the company to the right spot. But it wouldn't have been so had we not had the right skillsets on the ground to recognize that the true value of what we could bring to that organization might be a little bit different than the traditional audit.

ST: Yeah, Shawn, that reminds me of one of my clients. It was a new client, but the idea of taking a step back looking at what does internal audit mean today and where do we need to go from here to stay relevant. We took over an internal audit function that was historically very compliance-focused just on a number of affiliates, and each year they were auditing X number of affiliates and confirming that their expense reports were appropriate and various elements of financials were appropriate and the internal control environment was operating, but they weren't taking a risk-based approach in terms of most impactful affiliates or looking beyond anything in the environment more centrally. And so when we took over, they were about to go through a major consolidation. They were about to launch a really important new strategic program, and we thought that internal audit hours should really be allocated to these strategic risks aligned to these business imperatives that were going to make or break the success of their next couple years and being able to stay on plan and meet the expectations of all of their shareholders, their community.

And we pivoted to have a completely different lens to what our focus was, and it was no longer just about compliance, but it was working in the foundational internal controls as they were building a program. So we weren't necessarily doing a lookback audit on what had gone wrong in the past 12-month period. We were actually, as they were in the design phase, baking in the internal control lens throughout so that when they were launching their program, they were already comfortable upon go live with how their lens on risk had been incorporated. And we repurposed hours that historically had been spent in the same way year over year for several years to focus on things that would make a greater impact down the line.

And that have continued to evolve as we've been able to better educate their audit committee and their board of directors on what enterprise risk means, and we've been able to help make a case for more budget towards a security position as there have been more and more data privacy and cybersecurity implications from that new strategic program. And so really shifting how they were able to better think about the future needs of their business through what we were reviewing with them as their business partner, as internal audit.

KL: I think it's important that we share stories like these because I think it makes it so much more relatable because we're all navigating different challenges or similar challenges. We've talked a lot about the evolution and the transformation of internal audit, what it was, what it is today, what is it going to be in the future, this group of professionals, this is what we do day in and day out. Obviously, a lot of it is exciting, but again, it comes with its own challenges. So I'd love to just spend a few minutes talking about those challenges as it relates to the function within the business, the relationships, the work itself, and maybe in addition to that, really elaborating on what we have done as professionals to make it better.

ST: Yeah. This one really excites me because I love the idea of evaluating risk. I love the internal audit profession, and sometimes you have new project stakeholders every time you kick off an audit, and there may be folks you've never worked with before and you forget about this kind of fundamental truth that people hate being audited, and I forget that I show up as the auditor into those rooms excited to kick off a project and they are not having it. So I need to make sure that every time I'm making a new introduction, I'm collaborating with new business units, that we are continuing to promote what the brand of internal audit means, how we can actually help them achieve their strategic objectives, how we're meant to really support different stakeholders. So we have our process owners, we have our executive sponsors, we have the board of directors, all of them that see different value in what internal audit means.

And so I kind of have learned through that, that we just need to make sure that we are communicating why we're doing what we're doing. And that all ties back to the risk-based approach. The better they understand the risk behind what we're evaluating and the potential exposure, if they don't have a sound internal control environment, the more they realize it's not a personal attack on anything they're doing, but it's really helping them to best move their business forward in a way that they're decreasing the uncertainties around what they don't know. They're increasing confidence that things are going to be done right and that they won't have certain vulnerabilities or gaps that can really pose more of an issue for them down the road. So just an over-communication of what risk means and how we can help them remediate any issues that we find.

SD: Yeah. You touched on it at the end there. Communication, right? Communication is so key, not just within internal audit, but as a professional, being able to communicate what you're doing, why you're there, and what your particular job is incredibly important. Internal audit, again, as you kind of started out, Sophie, is challenging because nobody wants to see internal audit in their function, kind of providing that report in terms of how an organization is doing or how that particular process is doing. So a lot of times we're kind of behind the gun as soon as we come in a lot of those cases. The thing we have to continue to realize is that as a function, as a profession, we have multiple stakeholders that we're responsible for in everything we do. So in most organizations, the internal audit function reports to the audit committee as part of the board to again provide that independent overview of how well management is doing in terms of executing the strategy.

We certainly have a need to partner with management in a way that they're comfortable, again, from a risk-based approach, what we're doing, why we're doing it so that they welcome sort of these reviews. And then as we get down into the audits themselves, the key stakeholders that are part of that, I've found that the more we communicate and the more we can kind of set up our process in a way that demystifies what we do so everybody knows what we're doing, when we're doing it, what to expect at every stage. Setting that stage with expectations really takes some of the potential issues and potential conflicts out of it. The other thing too is I started at the beginning of this saying some organizations were very compliant-oriented, where some are more value add. I would say it's a lot easier to have that partnership and that seat at the table with management when you are really responsible for helping the organization succeed across all aspects, not just the compliance areas, because when you're just doing compliance audits, you tend to get into the trap of what we call got you audits.

So you do an audit, you have reports, people take these issues and your observations very personally, and in some organizations it manifests itself into sometimes negative events that occur for bad audit reports. And that's so far away from what effective audit can do and what we're trying to do as professionals in terms of, again, at a high level, internal auditors, professional internal auditors, I kind of think of as the renaissance people within organizations. We need to be ready and able to audit almost any function that exists in an organization. Obviously, supplemented by experts when needed through understanding the purpose of what we're auditing and how it fits into the overall company and the overall execution of the organization strategy. It's really key that we talk about what we're auditing in terms of the business itself and what the business is trying to achieve. And I've found that oftentimes when you're able to do that when you're able to sit at the table regardless of who the stakeholder group is, you're able to have a lot better conversation with people.

KL: All really key points there. A few takeaways from what each of you said is communication, relationships, education to really drive what the purpose of internal audit is. Because unfortunately, the term auditor doesn't come without some type of negative connotation. I think we can all appreciate that, and sometimes I'm reluctant to say auditor and what we do because it's so much more than that, and I think everything that you hit on is what makes this profession so exciting. Obviously, there's a lot of passion behind it. We wouldn't do what we're doing for as long as we've done it if there wasn't that passion there. So I'd love to just have each of you share when you wake up in the morning, why are you excited to deliver an internal audit or work with an internal audit team?

ST: Yeah. I love the variety in my day every day. I think it's so exciting to learn about these evolving risks and to think critically. We talked about how we innovate our profession. That drives me every day to really be approaching everything we do with a unique mindset. And I also love that I get to work with so many stakeholders bringing that through internal audit. So I think about you need... Shawn touched on the fact that we have to be ready to audit almost anything. So we're bringing all of these specialists, and I might have on one audit plan, folks that are touching supply chain, sales, ESG, technical accounting, cyber threat intelligence, and getting to bring all of those people together to develop this robust perspective on what risk means to an organization and elevate that to the stakeholders that Shawn was mentioning.

We have our audit committees, our executive sponsors that really want that transparency into what's going on at their organization that they don't have a line of sight into day-to-day. I find that fascinating, getting to learn from all of our different groups internally and getting to work with so many exciting clients going through their own unique challenges that we get to collaborate with on how to best evaluate and tackle those.

SD: Yeah. And I'll totally add to that, Sophie, you hit the nail on the head. The ability for continuous learning and problem-solving and every day is different, and every client we work with is different, every area we work with is different, and having to figure out what makes things tick and how to work with our key folks to make things better and make things better for them as well is just there aren't many professions where you get to do that all the time. I'll go back to when I was in industry, a couple stories in industry. My first job out of school was in internal audit, was at Kellogg's, the cereal company, and for probably about the better part of my first year in that role, my mom always asks, "So what is it you do again? You work in internal audit, what is that? Is that like counting cornflakes or can you help me understand sort of what that means?"

So over time, I actually use sort of her question to start to build the answer to really, yeah, a little bit it is about counting the cornflakes because we have to know where they are at any given time to make sure that they're in the right store on the right shelf at the right time. But there's so much more that goes into creating that product, running that product in the ecosystem of Kellogg's to be able to really add the value that I think they were looking for from an internal audit standpoint. The other story, and again, this is kind of the excitement of being able to do something different all the time and really having a role that contributes to overall organizational improvement. At Whirlpool, we had a three-year built-in sort of process where people would come into internal audit and after three years they would go out into their permanent roles or their next roles in the organization.

And typically, at about two years, people got a little antsy and wanted to make that change, but we held them to the three years and we found almost to the person when they actually did go out into their next role, whether it was HR or finance or operations or whatever, after about nine months after they learned the job, they were ready to come back to internal audit because they liked the variety and the ability to kind of work across and have influence over how Whirlpool basically drove that business model. So it's very exciting when done well and people get really jazzed about being in this profession.

KL: I mean, there's no doubt that we get to see a business end to end and really dive into the weeds. I know when we think about, we've talked about this a lot even just in the conversation today, the role of compliance and internal audit will never go away. That really gets to the how. I think when we get to more operational audits themselves, we get to the why. And I think as a very just inquisitive person in general, I think it's really exciting when we can dig deeper, pull the thread, and see what that leads us to.

And I know personally, I work a lot of times in the manufacturing space, so boots on the ground on a plant floor, and I think there's so much you can take in and observe by being boots on the ground and watching the manufacturing process from raw material all the way through the production process to final goods. That is so invaluable in terms of how we learn as professionals to really appreciate the details of a process that we may not get or appreciate testing and internal control. And when I think about just the role that each of you have played in your professional career, anything that you're most proud of as it relates to a specific client or a specific project or what you've even accomplished over the last several years?

SD: I would say from my standpoint here at RSM, I've been involved in both co-sourcing and outsourcing engagements with a number of clients. For me, it's about after the second or third year of standing up a new internal audit department and being able to demonstrate what our teams can do in terms of adding that value, I get an immense amount of satisfaction from the comments that we get from everybody from the audit committee and the board to executive management in terms of how comfortable they are with having this function in place and being able to kind of provide that independent lens. Even to the point where we had a client a while back, we were doing annual risk assessment interviews with the audit committee members, and after I think the second year, one of the audit committee chair basically says, "Well, normally internal audit's not my favorite department.

It's not my favorite topic, it's not my favorite function." But he said, the things that the team has done in terms of helping the organization get past issues that had troubled them for a number of years, he found to be tremendously satisfying. And so from that point on, the audit committee was more engaged. He asked more questions, which in turn allowed us to, again, kind of create even a better relationship with executive management. And having that seat at the table as it's called with management, makes for a better understanding of the business where it's going, which in turn allows us to have a better idea of the key risks facing the organization and opportunities that potentially aren't being met. So the exact opposite of a risk really allowed us to focus our limited time to areas that we felt would drive the business forward as quickly as possible.

ST: Yeah, that's great. And I think similarly, the moments I've been most proud of or really the clients I've been most proud of have been the ones where I've been able to really foster that relationship across client stakeholders. So you have the audit committee satisfied with the level of detail and transparency they're getting all the way down to the control owner that we are in the weeds with day-to-day, who's performing the internal controls, also understanding why internal audit is valuable to them and how we can continue to support the business. And I think some of that has come through and what has been more exciting to me and some of the new tools that we've continued to use as we innovate how we serve them. So an example being I've started integrating process mining into a lot of my projects. And what that means is we are taking all of the event log data, so think about all the steps that a transaction goes through during a given workflow, and then we're pulling that into a tool that can help us visualize all permutations of process path.

And so going from walkthrough interviews where we're asking about a process to actually coming in informed, knowing permutations of the process, and asking more nuanced questions to a process owner of why things might happen in all of these different paths has made them more engaged. And I've had process owners saying, "Can you send me that? That's really cool." I've never seen everything that we do consolidated in that way. And getting to better understand bottlenecks and some things that might not rise to a reportable observation on an audit report that they're still interested in because it's helping them to visualize what they're doing and what their teams are doing every single day. And then that's also giving us better data-driven value-added conclusions that we are drawing to make recommendations that can best serve them moving forward.

And so I'm proud of those relationships that we can foster when someone isn't sure that they want to be audited to. Can you send me that? Can we run that tool again? Can you take a look at this side of the process as well? And when they realize internal audit can be a tool to give everyone more visibility and that there's value to be drawn and shared, and I've loved those relationships the most, when we can really evolve the perception of who we are and what we do and have folks see us really as that business partner.

KL: All of that is so important. I mean, when we bring the right people, we have the right processes from a methodology standpoint in place in addition to the technology. I mean, it's just so powerful. I had a meeting recently where we conducted an internal audit and we were looking at one of the global subsidiaries. And so we had a team that was down in South America and we were doing inventory observations. We came back and we were sharing with the CFO, and he said, "We presented our initial observations," and he says, "I'm going to stop you right there." None of us were anticipating what he was about to say. He said, "I never thought that I'd have a group of auditors tell me something or so much about my business that I didn't even know." And he goes, "Thank you. This is going to be so powerful for me in our organization.

We wouldn't have be able to do that without your insights." And I think comments like that are to be celebrated and just demonstrate the value that can be brought, again, with the right people, the right process, and the right technology. We've talked a lot about the value that internal audit can bring to the business. Of course, we have to remember the professional standards that internal audit is held to and the role of which we play in terms of being independent from management. I think that is obviously the foundation of the function itself. Shawn, anything on that specific topic you want to elaborate or share more about?

SD: We do provide that independent view of how the organization is doing. And so we always need to make sure that, first and foremost, that's the standard that we bear as we're going through these. And yes, it is about helping the organization and so forth, but we do have responsibility to the boards and the audit committees to make sure that we continue to have that independent voice. And there are a lot of times in discussions with stakeholders, whether it's executive managements or in the business, that that's not that easy to do.

And so part of our remit as we continue to evolve as internal auditors is making sure we continue to have that voice in a way that is constructive and value add. It's not an easy thing to do but in the era of ESG, where governance is going to have more and more of a role in terms of how an organization is considered the head of investment, that internal audit department function and responsibility should be a really important part of the G part of that in terms of how organizations manage themselves. So just make sure that as we're going forward, that that's kind of our starting point in everything we do.

KL: Certainly, appreciate your guys' time today. This has been great. I appreciate you both sharing your passion for the job, but of course, your valuable insights to the power and the impact of internal audit. Thank you to RSM Sophie Tomeo and Shawn Dahl for their stories today. And thank you to our listeners for joining us.