Businesspersons: Better leaders of internal audit than professional accountants

Businesspersons often possess stronger leadership and stakeholder management skills than accountants

The transformation of internal audit from a ‘policeman’ to a value-adding business partner has not been as rapid as that demonstrated by the finance and accounting function in the past three decades. While the finance and accounting function, driven by technology, data availability and data analytics, has transformed itself from a predominantly staid, boring, rules based and command/control centric transactional role to a strategic, analytical and emotionally intelligent business partnering role, the internal audit function has procrastinated in responding to the changes demanded by contemporary organisations. This, in my view, is largely due to the internal audit function in most organisations, globally, and particularly in Sri Lanka being ‘helmed’ by professional accountants rather than by businesspersons. 

The fundamental difference between the two lies in their core orientation. Accountants are primarily trained in the meticulous recording, analysis, and reporting of financial data. Their expertise lies in ensuring accuracy, adherence to accounting standards, and compliance with financial regulations. While these skills are crucial for certain aspects of internal audit, they often lead to an obsessive focus on historical data and the detection of past errors or fraud. Most accountants, as a part of their nature and nurtured nature, exude an air of mistrust. They are trained to be ‘suspicious,’ and they are, usually, slow to change in concert with evolving needs. 

In contrast, most businesspersons possess a holistic understanding of the organisation’s strategy, operations, market dynamics, and competitive landscape and are open to change. Their thinking is inherently forward-looking, focused on identifying opportunities, mitigating risks that could impede strategic objectives, and driving continuous improvement across the value chain. In Sri Lanka, most organisations seek professional accountants as Chief Internal Auditor (CIA – sounds right!) or Head of Internal Audit or Chief Audit Executive (CAE) as the position is popularly referred to now.

Policing function

Historically, internal audits have been perceived as a policing function, primarily concerned with ensuring adherence to internal controls, detecting fraud, and verifying the accuracy of financial records. This “watchdog” role, while crucial for maintaining financial integrity, portrays internal audit as a reactive function, intervening after issues have materialised. The action is akin to closing the stable door after the horse has bolted. With a heavy focus on compliance with established rules and regulations and limited involvement in strategic discussions or proactive risk identification, traditional internal auditors have been ‘loners’ operating in silos with their work centred on historical data, isolated audits of specific departments or processes and/or forensic audits to uncover evidence of fraud, financial misconduct or illegal activity for use in legal proceedings.

The skills required for these deliverables are second nature in professional accountants (accountants). Such skills are their forte. Therefore, the intensive and extensive demand for accountants in internal audit in the past is no surprise. 

The ever-evolving complexity and interconnectedness of modern business operations have necessitated a paradigm shift in the perception and function of internal audit. The increasing use of enterprise risk management (ERM) frameworks such as COSO, ISO 31000, NIST RMF, COBIT and RIMS RMM in assessing risk appetite, fostering and entrenching a risk culture, facilitating risk governance and oversight, integrating risk management and continuously improving the ERM framework, has brought to the fore the importance of a holistic and integrated approach to managing risks across the entire organisation. The expectations of investors, business leaders and other stakeholders of internal audits’ role in serving their needs in a dynamic modern business world has increased multifold. The pressure on the function of adopting a forward-looking, preemptive, strategic posture in providing, inter alia, independent, and objective assurance, and insights into the effectiveness of the organisation’s risk management, control, and governance processes is mounting.

Broadening scope of internal audit’s responsibilities

One key aspect of this evolution is the broadening scope of internal audit’s responsibilities. Beyond the traditional financial and control audits, modern internal audits are increasingly involved in operational audits, compliance audits (encompassing a wider range of regulations beyond financial reporting), IT audits, environmental audits, and even strategic audits. They are tasked with evaluating the efficiency and effectiveness of operational processes, ensuring compliance with a diverse array of legal and regulatory requirements, assessing the security and reliability of information technology systems, evaluating the organisation’s environmental impact, and providing insights into aligning operational execution with strategic objectives.

Amazon’s internal audit function, for instance, is known to extend beyond traditional financial oversight. It covers audits of its complex supply chain, its data security infrastructure, its compliance with diverse international regulations, and operational efficiency across numerous business segments ranging from e-commerce to Amazon Web Services cloud computing. The insights generated by internal audit help Amazon proactively identify and mitigate risks across these diverse areas, contributing to its operational resilience and sustained growth.

Another significant shift is the increasing emphasis on proactive risk management. Internal auditors are no longer expected to simply look at the past. They are expected to be actively involved in identifying, assessing, and evaluating potential risks that could impact on the organisation’s objectives. These expectations compel them to work collaboratively with management to develop and implement risk mitigation strategies and provide assurance on the effectiveness of these strategies. This proactive approach allows organisations to anticipate and address potential problems before they escalate into significant issues, thereby saving costs and time and protecting their reputation. 

John Keells Holdings PLC (JKH), Sri Lanka’s most respected company, every year bar one, since 2005, appointed a generalist as its Chief Audit Executive in 2013 and replaced him with an information technology-savvy businessperson in 2016. The result has been the establishment of a business focused, digitally driven world-class function which caters to modern business needs. Unilever, the global consumer goods giant, is also a good example in these respects. Their internal audit function plays a crucial role in assessing and monitoring risks related to their complex global supply chains, including ethical sourcing, environmental sustainability, and quality control. By proactively identifying potential disruptions and weaknesses, internal audit helps Unilever build a more resilient and responsible supply chain, aligning with sustainability goals and mitigating reputational risks.

Dependable strategic partner to management

It is indeed a matter of note that the role of internal audits has evolved to become a dependable strategic partner to management. Instead of being perceived as an adversary, modern internal auditors are increasingly seen as trusted advisors who provide valuable insights and recommendations to improve organisational performance. They are expected to understand the organisation’s strategic objectives, industry dynamics, and competitive landscape, and to structure their audit activities accordingly. This requires internal auditors to possess not only strong technical skills but also excellent communication, collaboration, and business acumen.

Netflix, a company operating in a rapidly evolving digital entertainment industry, relies heavily on its internal audit function to provide strategic insights. This includes evaluating the risks and opportunities associated with new content acquisition strategies, assessing the effectiveness of their data analytics in driving subscriber growth, and ensuring compliance with global data privacy regulations. By providing independent and objective assessments, internal audit helps Netflix navigate the complexities of the digital landscape and make informed strategic decisions.

The integration of technology has also profoundly impacted on the mechanics of internal audit. Data analytics, artificial intelligence (AI), and robotic process automation (RPA) are being adopted to enhance the efficiency and effectiveness of audit processes. Data analytics allow internal auditors to analyse large volumes of data to identify patterns, anomalies, and potential risks that may be missed through traditional audit techniques. AI is being increasingly used to automate routine audit tasks, thereby freeing up auditors to focus on more complex and judgmental areas. RPA can streamline repetitive processes, improving efficiency and reducing the risk of human error. 

Deloitte, and KPMG, leading professional services firms, have invested heavily in data analytics and AI capabilities in providing internal audit services. These advanced analytics allow them to provide clients with deeper insights into their data, identify emerging risks, and deliver more targeted and value-added recommendations. This demonstrates how technology is empowering internal audits to move beyond traditional sampling techniques to more comprehensive and insightful assessments.

 Most accountants, as a part of their nature and nurtured nature, exude an air of mistrust. They are trained to be ‘suspicious,’ and they are, usually, slow to change in concert with evolving needs. In contrast, most businesspersons possess a holistic understanding of the organisation’s strategy, operations, market dynamics, and competitive landscape and are open to change. Their thinking is inherently forward-looking, focused on identifying opportunities, mitigating risks that could impede strategic objectives, and driving continuous improvement across the value chain 

Broader range of competencies

In keeping with the above-mentioned, the skills required of the Chief Audit Executive (CAE) and internal auditors have also evolved significantly. While a strong understanding of accounting and auditing principles remains essential, modern internal auditors need a broader range of competencies. 

These include, > Risk Management Expertise, i.e. a deep understanding of risk management frameworks and methodologies, > IT Acumen, i.e. a good knowledge of information technology systems, cybersecurity risks, and data privacy regulations, > Data Analytics, i.e. the ability to analyse large datasets, identify trends, and draw meaningful conclusions, > Communication and Interpersonal Skills, i.e. the ability to effectively communicate audit findings and recommendations to various stakeholders, build relationships, and influence decision-making, > Business Acumen, i.e. a strong understanding of the organisation’s industry, strategy, and operations, > Critical Thinking and Problem-Solving Skills, i.e. the ability to analyse complex issues, identify root causes, and develop practical solutions, and > Adaptability and Agility, i.e. the capacity to adapt to changing business environments and emerging risks.

While accounting expertise is undeniably valuable within an internal audit team, the thrust of my argument is that a businessperson, with his/her broader strategic perspective, operational understanding, and inherent focus on value creation, is a more effective leader for internal audit in large organisations than a professional accountant. One of the primary advantages of having a businessperson lead internal audit is his/her holism, compared to a typical accountant, in aligning the audit function with the overarching strategic goals of the organisation. They are usually better positioned to understand the key strategic risks that could prevent the company from achieving its objectives and tailor the audit plan to address these critical areas. 

For instance, if a large multinational corporation is pursuing an aggressive expansion into new emerging markets, a business-savvy Chief Audit Executive will, likely, prioritise audits focusing on the due diligence processes for acquisitions, the establishment of robust internal controls in these new territories, and the potential for political and economic instability impacting operations. Accountants, while capable of auditing the financial aspects of these expansions, may, because of a lack of emphasis on broader business acumen in their curricula, training and psyche, struggle to fully grasp the strategic implications and associated risks.

Cross-functional perspective

Furthermore, businesspersons bring a deeper and more natural understanding of the organisation’s operations across different departments and functions. They are likely to have held roles in various business units, gaining firsthand experience in areas such as sales, marketing, operations, supply chain, and technology. This cross-functional perspective allows them to identify systemic risks and inefficiencies that might be overlooked by an accountant primarily focused on financial controls. For example, a business-oriented audit leader might recognise that a bottleneck in the supply chain, while not immediately impacting financial statements, could lead to significant revenue losses and reputational damage. They can then initiate audits that examine the beginning to end supply chain processes, identify weaknesses and bottlenecks and recommend improvements which enhance efficiency and resilience.

Businesspersons are likely to be more inherently focused on value creation and performance improvement. They understand that internal audit is not merely about finding fault but about identifying opportunities to enhance efficiency, effectiveness, and profitability. They can frame audit findings and recommendations in a business context, highlighting the potential impact on key performance indicators (KPIs) and the bottom line. 

For instance, instead of simply reporting a deficiency in inventory management procedures, a business-minded audit leader can quantify the potential cost savings by implementing more efficient inventory control systems and demonstrate how these improvements can contribute to the overall profitability of the organisation. This business-centric approach makes the internal audit function more relevant and impactful to management, fostering greater buy-in and support for audit recommendations.

The ability to effectively communicate with and influence senior management and the board of directors is another critical advantage of a business-oriented audit leader. They can speak the language of business, understanding the strategic priorities and concerns of leadership. They can frame audit findings in a way that resonates with business leaders, making it easier for them to understand the significance of the issues and the urgency of implementing corrective actions. For example, when presenting findings related to cybersecurity risks, a businessperson will articulate the potential financial and reputational damage in terms of lost revenue, customer attrition, and brand erosion, thereby compelling senior management to prioritise investments in cybersecurity controls. An accountant is likely to focus more on the technical aspects of the vulnerabilities and therefore unlikely to convey the impact forcefully to ignite action.

Collaborative and results-oriented culture

Businesspersons often possess stronger leadership and stakeholder management skills than accountants. They are accustomed to leading teams, motivating individuals with diverse skill sets, and building consensus across different departments. This is crucial for leading an effective internal audit team, which typically comprises professionals with backgrounds in accounting, IT, operations, and other specialised areas. A business-oriented leader can foster a collaborative and results-oriented culture within the audit team, ensuring that individual expertise is leveraged effectively to achieve the overall audit objectives. They are also adept at managing relationships with auditees, fostering a spirit of partnership and continuous improvement rather than adopting an adversarial “policing” mentality.

Let me amplify than suffer the wrath of my accounting colleagues. I am not saying that accountants cannot be effective businesspersons. What I am emphasising is that unless there is a change in basic drivers of their curricula, training and emotional intelligence, accountants are unlikely to match the skills and abilities of trained businesspersons in satisfying the experience and exposure requirements of a modern Chief Audit Executive. Internal Audit at General Electric (GE) under Jack Welch’s leadership, as way back as the eighties, was not viewed as a mere compliance function. It served as a strategic arm of the company, providing a unique, company-wide perspective. As a part of its leadership development strategy, management trainees were deliberately placed in internal audit to gain exposure to various business units, processes, and leadership styles across the organisation. This broad exposure allowed them to develop a deep understanding of GE’s operations, financial controls, and risk management practices. 

The future of internal audit is evolving towards a more strategic and proactive role, leveraging technology to provide real-time assurance and advisory services, rather than solely focusing on compliance. This shift involves adopting technologies like AI, automation, and blockchain, and expanding the scope of assurance to include digital technologies, decision governance, and behavioural appropriateness. 

The Chief Audit Executive (CAE) of today must be a strategic advisor, navigating complex digital ecosystems and leveraging technology to provide real-time assurance and foresight. This role will involve advising on critical business issues and anticipating risks, rather than solely focusing on delivering assurance. The CAE will need to possess a wide range of skills, including technical competency, teamwork, communication, leadership, stakeholder management, and adaptability and must be able to inspire different experiences and mindsets into their teams to experiment and pioneer new models. The CAE must look beyond the traditional internal audit horizons. A businessperson is likely to do that best.

(The writer is currently, a Leadership Coach, Mentor and Consultant and boasts over 50+ years of experience in very senior positions in the corporate world – local and overseas. www.ronniepeiris.com.)