IT auditors new to the profession may hear references to a time when the internal audit function was viewed as the “police.” Years ago, it was not uncommon for organizations to perceive internal audit’s responsibilities of assessment and evaluation as being similar to that of a policing function. Operational errors or deficiencies identified and reported were analogous to crimes in the world of law enforcement. To be fair, there were some personality types within the internal audit profession who didn’t object to that characterization. If the characterization were true, however, most auditors did not favor that characterization and probably all of the IT function and management wished for it to go away. So, auditors worked to counter that perception and management continued to provide feedback on what it wanted from internal auditors. One big ask from management was “If internal audit surfaces issues that are either already known or that could be easily corrected, what value does internal audit provide?”
The answer to that question was delivered when auditors created opportunities through compliance initiatives, business process documentation and other operational areas to work with the IT function outside of the audit process. More frequent involvement between auditors and the IT function offered the benefit of a better working relationship than when the auditors were perceived as the police. But, in reality, whether internal audit is adding value is a dynamic perception. As organizations are characterized as engaging in disruptive innovation, continuous development, or digitalization, the audit function must complement its operational partnership with a strategic partnership to keep pace with the organization and to add value. (Just to be clear, the auditors are not creating strategy; rather, they are mindful of strategic impacts in all of their work and they communicate those impacts with senior management and the board).
The path to strategic partnership may be more easily stated than achieved, though. In the 2019 Global IT Audit Benchmarking Study from ISACA and Protiviti, 81 percent of respondents from Africa indicate that IT audit directors (or equivalent) regularly attend audit committee meetings, but respondents from other regions provided less encouraging results, with that data point ranging between 46 and 64 percent. A Chief Audit Executive (CAE) may attend audit committee meetings in place of an IT audit director; however, of the two positions, the IT audit director generally has more comprehensive involvement with IT audit assessments and evaluations. Without being part of the these and other meetings where strategic discussions take place, it is a challenge for the audit profession to assume the role of strategists.
To earn a seat at the table where strategic discussions are taking place, IT audit directors and their teams should embrace the role of strategist by emphasizing their work through the lens of the organization. For example, once the organizational impact of a risk has been identified, a strategist will extend the discussion to what the organizational impact means for the overall strategy and mission of the organization. Framing this communication in financial terms is often appreciated by senior management and is fairly easy to do. On the more challenging end of the spectrum for the strategist (and most valuable to the organization) are communications that are forward-thinking. Without being clairvoyant, the internal audit strategist can share with senior management and the board what trends their industry is experiencing or solutions for known concerns before those concerns turn into problems. This is much more valuable than an after-the-fact summary of where things went wrong.
In self-assessing how much value they are creating, internal auditors should evaluate the state of their strategic partnerships and acknowledge the interdependency of operational and strategic partnerships, but focus on the forward-looking benefits that being strategic offers. When the transition to organizational strategist has been socialized and accepted by the organization, perhaps the coveted seat at the table will be earned.