Internal Auditing: Trends and Challenges

The CPA Journal:

How has the profession of internal auditing, and your own work, changed in recent years?

Mark Martinelli:

If you look at internal audit today versus back in the 1980s, it is unrecognizable. Internal audit was more a department you worked in, as opposed to a profession. What has happened—mostly post–financial crisis—is internal audit has become a profession in and of its own. We have the stature, and certainly a seat at the executive table. We have upskilled, and we are providing a lot more in-depth knowledge to management.

There is a higher level of expectation that companies do the right thing. The right thing is not just what’s legal; it is what is fair. In many ways, we are not just auditing to the regulations, but to the expectations that society has.

CPAJ:

Many internal auditors must divide their time between regulatory compliance and efficiency and effectiveness of operations. How do you balance your focus?

Martinelli:

Interestingly, what has happened is that we are doing more integrated audits. When we speak about integrated audits, we mean a combination of regulatory compliance and operational compliance. The reality is that regulations in and of themselves are easy to follow. What is tougher is to be able to address the expectations that the media and governments have.

External auditors focus on financial controls; that is their bread and butter. Internal audit will look selectively at financial controls, but we spend quite a bit of time looking at what we call operational compliance and regulatory controls as well.

We are looking more at financial controls now, although not necessarily at an entity level. I think there will be an increase in what we look at, at a segment level and at a product level. Again, the level of scrutiny on operations, numbers, and profitability has increased.

CPAJ:

How can internal auditors prepare for the changing internal audit environment?

Martinelli:

Companies change and transform in different ways. They might get a new management team; they might be acquired; they might acquire a different company. The way you audit a company today has to continually transform. One of the challenges we have at internal audit, and I think one of the things that makes internal audit interesting is being able to adapt to that change.

We also have to introduce what I call lifelong learning, in terms of supporting training sessions outside of your company and inside your company. And make sure, again, that we are keeping the skills that those individuals have honed. It is about hiring the best individuals and keeping them well trained.

CPAJ:

What advice would you give to students?

Martinelli:

We are still in the early days of universities having a dedicated curriculum for internal auditors. Even if you go to a university that does not have a dedicated internal audit curriculum, I think one of the things that I would do is, aside from taking the accounting and finance classes, dedicate a significant amount of time to getting certainly a minor, if not a master’s degree, in data science. I think the ability to understand and audit digital information and understand technology is a must. It is going to be transformative, and it is going to provide an exponential change in what we do, and how we do it, in internal audit.

When I mentor students at different universities, they always ask, “What’s the additional class I should take? Is it a new finance class? Is it something in derivatives?” And I tell them that you need to take courses in understanding ethics, understanding culture, and understanding how to become a better writer.

Universities are not necessarily trained to develop your soft skills. To be an effective auditor, you need to have good soft skills, skills related to influencing, and skills related to effective challenge. Effective challenge is part of the underlying core skill set that is needed to be independent and objective. These are the types of courses and workshops that, if I were considering going into accounting and internal audit, I would look into.

CPAJ:

What role will technology play in the changing world of internal auditors?

Martinelli:

I think the biggest impact is from the disruption that is taking place because of technology. If you look at what is happening—with the cloud, with mobile, with cybersecurity, and with data—these things are all new emerging risks that need to be audited. They have never been audited before. They were not really risks before.

One of the biggest challenges is: How do you take these new and emerging risks and train individuals to be capable of auditing them? Some of that you can do with training, but some is uncharted territory. Take data. How do you audit data and data frameworks? How do you audit the way data is transferred?

CPAJ:

What are some of the opportunities of a career in internal auditing?

Martinelli:

I think the best part of working as an internal auditor at a very young age or in the early part of your career is that you will be exposed to all the operations, controls, and areas that the company has, which is really rare for someone to do early on in their career. To be able to see the revenue side, the operational side, the risk side, the business side, and have exposure to very senior individuals, I think it hones your skills at a very young age. It gives you broad experience to the overall organization. Equally, as I mentioned before, it is a training ground. And from there you can have a career in internal audit or you can ultimately transfer into the business. I think you develop a very good understanding of risks and controls, good communicating skills, and reporting skills.

CPAJ:

What about the challenges you’ve faced?

Martinelli:

There is that level of power and responsibility that you have with internal auditors who are reporting to auditing committees. What are some of the negatives with that? You are going to get a level of pushback. No one likes to be audited, and yet they understand the importance of being audited.

Also, there are time deadlines. In any given company, you have an audit plan, and you have to execute and deliver on that plan. You have to balance the objectivity of reporting items you find with the fairness of reporting them in the right way. That becomes challenging early on in your career.

Talented individuals are difficult to find. I think over the years the size of the staff has essentially stayed the same, but the composition has changed. What I mean by that is, if you look back—and not even that many years ago, pre–financial crisis—most of your team would have been traditional auditors, trained as external auditors, who have become internal auditors. They did not have business experience. If you look at most internal audit departments now, a significant composition of the team will have nonaudit experience. What do I mean by that? They have been treasurers, traders. They have worked in operations.

There has also been a tremendous amount of upskilling, which has been required because of the nature of the risk that we are trying to audit. More individuals have a digital background.

The size of the staff has stayed the same, but the technical skills and the soft skills they need have been significantly enhanced.

CPAJ:

How do you find the right people for the job?

Martinelli:

Traditionally, we had done most of our hiring from external audit firms, the big 20–30 firms that focused on financial auditing. Now we are doing much more operational and compliance work. The upskilling is, “Look, there is a tremendous need for individuals that can use data.”

Now we also have colleges and universities training individuals to be internal auditors. So, you are getting the technical skills of understanding what controls are, what internal control frameworks are, and what risk is.

We are certainly always recruiting. We are recruiting by going to different networking events, trying to identify who the best people are. Companies have also gotten very good at taking their more talented staff and treating them well, both in terms of the work environment and how they are compensated. And it is a challenge.

CPAJ:

What about retaining staff?

Martinelli:

On average, across the internal audit profession, you have about a 15% turnover rate. The good news is that half of that is individuals transferring into the organization they work for, which is a good thing. Internal audit departments have become a conduit to find good staff. But we still have to replace those 15%.

Internal audit departments have become providers of talent within the organizations that they work in. Equally, we are also trying to get individuals who are not in the audit function—they might be in the risk function, in the credit function, or in operational functions—to come into audit. We do it through rotational programs and guest auditor programs internal to the organizations we work for. I think we are doing a much better job with branding: describing what internal audit is, the career of internal audit.

CPAJ:

How have stakeholders’ expectations of internal auditing changed? How can those expectations be aligned with practice?

Martinelli:

Traditionally, internal auditors looked at financial risk, compliance risk, and operational risk. Some of the risks that we are now looking at, more in the way of byproduct, are strategic risks, cultural risks, environmental risks, and social risks. The challenge we face is: How do you audit those? How do you report on them?

We are now looking at those reports on an aggregate basis to see if, overall, there is an indication from the results that, collectively, strategic risk is increasing or reputational risk is increasing for a given business. It is an area where we are expanding what we are doing; it is still untested waters. Really, what boards and what stake-holders and regulators are looking for us to do is give more of our opinions on what we are seeing.

CPAJ:

How do you handle the responsibility that comes with such expectations?

Martinelli:

With our seat at the table, there is a higher expectation of us being able to execute the work that we have been charged to do. Does that mean finding everything? No. But there is a requirement and expectation—by the stockholders, by the shareholders, by our regulators, by management—that once we have executed an audit, we found most of the significant items. That is not a small responsibility. It does create a level of pressure to be sure that what we are executing is correct.

The other thing is making sure you have a supportive audit committee, audit committee chair, and management. You want to make sure that they understand what you are doing and how you are doing it. One of the most significant powers we have as internal auditors is that we are independent. That means we work for the company, but our reporting line is directly to the chairman of the audit committee. That is a very powerful thing.

CPAJ:

Has the deliverable, the final report, changed?

Martinelli:

Traditionally, we have issued 15-page audit reports, whether they were on paper or electronic. Can we expect somebody today on an iPhone or an iPad to read a 15-page report? We have to be able to adapt and transform our thinking. One of the things we are asking ourselves now is: How do we take our audit findings and communicate them electronically in a concise way that conveys the message we want to be able to convey, while being able to give the level of detail that we want?

CPAJ:

What final advice would you give to prospective internal auditors?

Martinelli:

There are very few professions that give you the opportunity to see so many different career paths and so many different industries. I would highly recommend it to individuals who are starting their careers.