Canada: Adjusting The Lens. The World Is Changing - And So Is The Role Of Internal Audit

With CEO confidence in growth returning in the wake of the global economic downturn, business executives are shifting their attention from crisis prevention and cost effectiveness to innovation, growth and bridging the skills gap. According to PwC's 14th Annual Global CEO Survey, many CEOs are looking for ways to take advantage of new opportunities, including ones in emerging markets. These CEOs are re-evaluating their business strategies in areas like talent management, innovation and emerging technologies in order to position themselves to prosper and grow.

As the priorities of CEOs shift, so are the priorities of chief audit executives (CAEs). In 2010, CAEs were focused on doing more with less: identifying new approaches to risk assessment, integrating their activities with other risk and compliance functions and enhancing internal efficiencies. Now, with potential growth on the horizon, CAEs are moving to respond to a changing risk environment. As the 2011 State of the Internal Audit Profession Study reveals, CAEs are zeroing in on three distinct areas of concern: strategic growth, emerging technologies, and regulatory requirements.

Here in Canada, CEOs are expecting growth over the years ahead. At the same time, many recognize that the potential for growth comes with added risk. From the enhanced speed of communications brought about by social media to cloud computing and e-mobility—CEOs are looking to their CAEs for advice on what the risks are and how they can be mitigated. But not all internal audit functions are ready to adjust their thinking to a shifting way of doing business.

With the rapid changes in how people work and communicate, the time is right for internal audit to take an active role in evaluating business strategy. Yet, being successful will take more than sticking to the status quo—it will take showing the executive team the real value that internal audit can bring to the table.

About the study

Every year, PwC conducts a global survey of chief audit executives to gain their perspectives on business challenges, emerging trends and key issues facing the internal audit profession. The 2011 State of the Internal Audit Profession Study was conducted in the fourth quarter of 2010 and includes responses from over 2,000 participants from more than 50 territories, including Canada. This whitepaper provides a Canadian perspective on key highlights from the 2011 State of the Internal Audit Profession Study. A copy of the full global report can be accessed on our website: "http://www.pwc.com/ca/ iastudy2011"

Key challenges

• Defining the role of internal audit within a changing world
• Finding ways to address risks related to emerging technologies
• Being able to respond to the risks presented by social media
• Conducting internal audit in a time of increasing regulation
• Bringing internal audit to the table when strategic decisions are made

Highlights from the 2011 State of the Internal Audit Profession Study

New growth, new risks

Emerging markets like India, China, and Indonesia are booming, with 2011 forecast growth rates above 6%, as compared to the 4.2% global average.¹ As a result, it's not surprising that CEOs are focusing on advancing operations in these regions—where previously, increasing consumption in developed markets was their primary driver of growth.²

While emerging markets and opportunities are an area of expected growth for CEOs, this area has not traditionally been a priority area for internal audit functions. Of the CAEs surveyed, only a minority are focusing attention on the risks associated with emerging markets and other leading areas of growth, such as cross-border acquisitions and new joint ventures or strategic alliances.

As companies put more emphasis on achieving results from an expanding number of growth areas, internal audit will need to become more involved in the risk assessment associated with these strategic initiatives.

Considerations for Canadian Businesses

A number of Canadian businesses have operations in emerging markets, or are looking to emerging markets as a potential area for future revenue growth. As Canadian companies continue to expand globally, they need to consider the implications of their activities from a risk perspective and realign their internal audit resources appropriately. Currently, many Canadian companies use centrally-based internal audit resources to cover international locations. The challenge with this approach is that international resources may not understand the local cultural norms or generally accepted practices. This can hinder their ability to identify key issues and risks, and the potential disconnect between local practices and corporate reporting requirements. CAEs whose companies are looking to invest in emerging markets should act now to determine how they will develop and manage ongoing internal audit activities. These companies should consider implementing best practices that will enhance their local knowledge and minimize their risks. Considering the importance of on-the-ground insights, this might include identifying opportunities for international co-sourcing arrangements.

In what high-risk locations is your organization doing or considering doing business? How do you manage and audit risks within these areas? Do you have resources that understand the cultural norms and acceptable practices within these locations?

Emerging technologies, emerging risks

Technology isn't just about reducing costs and becoming more efficient; it is also about enhancing connectivity with clients and leveraging innovative platforms for service delivery and obtaining stakeholder feedback. Many companies are starting to investigate the non-traditional roles technology can play in helping them be successful. For example, 54% of respondents to our 14th Annual Global CEO Survey are investing in emerging technologies— from social media platforms to cloud computing.

For internal audit functions, the challenge comes from the rapidly expanding variety of technologies and their associated uses, and the speed at which advancements are being made. Emerging technologies introduce new levels of risk—from brand protection to privacy and security—some of which are more controllable than others. But these risks are not yet high on the priority list of internal auditors. Less than 50% of chief audit executives surveyed said that they will be involved in auditing risks associated with social media and cloud computing, with less than 5% involved to a significant degree.

Leading CAEs recognize that the risks related to emerging technologies are evolving quickly and need to be considered from a fresh perspective in order to ensure they are appropriately managed. These CAEs are working with their executive team to enhance corporate opportunities while reducing risks.

Considerations for Canadian Businesses

Technology is an enabler, it is not a solution. By utilizing different technologies, Canadian companies can address issues and risks they have identified—from responding to stakeholders more effectively, to increasing their ability to track, monitor, and report on activities.

The challenge comes with recognizing that technology is evolving at a rapid pace. As a result, so are the risks. For example, evolving social media tools (e.g. Facebook, Twitter) are increasing the speed at which information—both good and bad—travels. This means that a minor issue can become a major issue within hours.

CAEs that understand the risks associated with different technologies can assist with developing appropriate risk mitigation, monitoring and reporting processes. For example:

Cloud computing

• Issue: Cloud computing refers to the sharing of infrastructure and platform service resources across business units or companies. Yet, while this sharing of resources may lower costs, it could also add a new level of complexity with respect to risks. Moving to the cloud requires in-depth consideration of data security, access controls and system maintenance issues.
• Role of internal audit: Canadian CAEs should be integrally involved in working with potential providers to ensure that data is safe, secure, backed up and fully accessible only by those individuals who require it. Internal audit functions can also play a role in assessing whether adequate controls are in place within a service provider.

Social media

• Issue: Social media refers to the use of web-based and mobile technologies to turn communication into interactive dialogue. Many companies recognize that social media provides a significant opportunity to collaborate with employees, customers and other stakeholders. From Facebook to Twitter, LinkedIn and other tools, Canadian companies have a wide variety of options for social collaboration and networking. The challenge comes with the dispersion of control of company information. The more interactivity, the higher the risks associated with unintentional leaking of proprietary information or release of messaging that is not consistent with the brand.
• Role of internal audit: Canadian CAEs should consider the risks presented by social media and be proactive in assisting with the development of policies that will allow their company to mitigate the risks associated with unintended consequences. The internal audit function can also be responsible for monitoring compliance with practices and assessing controls over any activities orientated toward reducing costs to determine if they are effective.

Do you know what controls your cloud computing provider maintains over the security and integrity of your data? How do your security processes address the use of social media? Are you monitoring use and compliance with your IT resource policies? Do your employees know what information they can and cannot share over social networking sites?

Addressing the regulatory labyrinth

Meeting regulatory requirements can be challenging, especially for global organizations. Companies that operate globally are often subject to regulations not only in their home country, but in all countries in which they operate. For example, public companies listed in the U.S. are subject to the Foreign Corrupt Practices Act ("FCPA"), regardless of where in the world the incident occurred.

CAEs need to understand the global regulatory environment in which they operate and the potential costs associated with non-compliance. This will help them develop controls and processes to manage and monitor their compliance risks.

The 2011 State of the Internal Audit Professional Study found that the complex regulatory environment places an added burden on the internal audit function of companies. Sixty percent of respondents said that they expect to increase their attention to regulatory compliance programs in their audit plans.

Considerations for Canadian businesses

Canadian companies should be aware of the regulations governing their activities in all jurisdictions in which they operate. With respect to corruption practices regulations, some companies may be subject to antibribery laws in Canada, in the country in which an incident takes place, or in another country all together. Even for companies only operating in Canada, there can be regulatory challenges. For example, some companies are required to report on their greenhouse gas emissions by either the federal government, one of the provincial governments—or any combination thereof. The lack of coordinated regulations can increase the complexity and cost of establishing processes to measure, monitor and report on regulatory compliance related activities.

Whatever regulations that a company must comply with, the internal audit function should play a key role in assessing and developing corporate compliance programs, and in implementing and monitoring any identified controls or processes. Internal audit can also take a proactive role in identifying potential changes to legislation and regulation and assessing potential impacts on the business.

What are the regulatory drivers of your business? How might new regulations impact your ability to be sustainable over the long-term? How do you identify global regulations and regulatory changes that might impact your operations, the operations of your suppliers, or other companies with which you do business?

Shifting the role of internal audit

As the risk environment changes, so does the role of internal audit. In the past, CAEs could easily focus on localized issues and processes. Nowadays, CAEs need to be more strategic; they need to recognize the strategic priorities and objectives of their organization, the scope and breadth of their operations and the global business environment in which the company operates.

To be successful, this type of holistic approach requires that CAEs be more involved in company strategy than ever before. They need to work collaboratively with other executives to ensure that the internal audit function is focused on the most critical business risks. In order to get a seat at the table, though, CAEs need to establish their credibility. This means ensuring that the right people with the right skills and attributes are in place to drive the value proposition for internal audit.

When it comes to identifying the skills essential for internal audit, the focus in 2011 was on the technical skills (e.g. risk assessment approaches, technology expertise). At the same time, leading CAEs placed a greater emphasis on softer skills (e.g. critical thinking, understanding of the strategy and business model, communications). What this suggests is that in the future, internal auditors will likely require a complex blend of both technical and soft skills—a fact that could make finding talent more difficult.

Considerations for Canadian businesses

Canadian companies generally have a more traditional approach to internal audit. Many focus their internal audit function on operations and have given little thought to expanding their reach to address strategic and emerging risks.

Moving forward, Canadian CAEs should start to consider the wider risk environment in which they operate and the skill sets they will need to identify and address these risks. For example, Canadian CAEs that represent companies operating in emerging markets may need to identify individuals with experience in those markets.

Canadian CAEs should also consider taking on the role of ensuring that the internal audit function is integrally linked with their organization's business strategy. To be able to do this, CAEs should proactively work to build relationships with other leaders within their organization and to make certain they have the right people with the right skills to add value during strategic discussions.

Finding the right talent could be a challenge. According to the our 14th Annual Global CEO Survey, 83% of Canadian CEOs expect that the limited supply of candidates with the skills needed by their organization will be a key challenge over the next three years, as compared to 66% of CEOs globally. In order to ensure the sustainability and value of the internal audit function, Canadian CAEs should act now to assess the skills they will require in the future and begin identifying and training their people. In some cases, this might require sourcing specialized expertise from outside suppliers or enacting training programs that allow individuals to develop more specialized expertise through targeted assignments and opportunities.

Are you making internal audit relevant to the strategic position of your business? Do you have the right people with the right skills needed to assess risks associated with a rapidly changing risk environment? How are you structured to address risks within your global operations

Where can you start?

The internal audit profession is constantly evolving. The most noticeable difference between the 2011 State of the Internal Audit Profession Study and the 2010 study is the focus on social media and emerging technologies. This evolution in how businesses communicate and do business is a very powerful example of how the world has changed. The risks associated with social networking and collaboration highlight the importance of recognizing the full risk environment when determining an internal audit plan. When one slip of the tongue on Twitter can have a negative impact on your brand—not only in one location, but around the world—the global reach of other risks also become more noticeable.

Steps for moving forward

• Define the importance of having your internal audit function present at the table during strategy development.
• Identify your business strategy, prioritize risk areas and incorporate key risk areas within your internal audit plan.
• Develop a plan for ensuring you have the right talent with the right skills to be successful in this environment of changing risks.
• Be proactive in determining how to monitor and control new and emerging risks—like those associated with social media.

With the recession behind us and growth on the horizon, now is an opportune time for Canadian CAEs to start shifting the lens when it comes to the role of internal audit.

Footnotes

1 World Economic Outlook, International Monetary Fund, April 2011.

2 14th Annual Global CEO Survey, PwC, January 2011.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.