What’s top of mind for chief audit executives right now? Richard Chambers moderates a lively conversation with Shannon Urban (VP& CAE at Hasbro), Diana Pagliarini (EVP & General Auditor at State Street), and Carl Hatfield (Managing Director at Protiviti) that ranges from top internal audit priorities to keys for career success to talent management strategies:
- Focus areas on risk-centric audit plans in a time of high risk volatility
- Skills and habits for career success in internal audit today.
- Creative approaches to identify, attract, and retain forward-thinking talent.
- Watch the full conversation, and read the can’t-miss highlights below.
Key Areas in the Audit Plan in a Volatile Risk Environment
Diana Pagliarini, State Street: The first thing I’m thinking about is around change: the change that’s coming and the change that’s happened. The great resignation didn’t just affect internal audit, it affected certain businesses. Things perhaps that have been stable for some time may now be disruptive. The steady stuff is worth a look to see, can you get a metric on turnover above a certain level in different parts of the organization? That’s your ongoing risk assessment. I think that’s really a key area of focus and an opportunity both the way forward and the way back.
I also think about things like the convergence of risk. If we think about geopolitical risk, you look at concentration of risk, where the footprint of the company is, and then you add to that an operational risk, it’s really different now. Risks don’t behave and stay in their own pillars. They move around, they take on their own life. But that’s an opportunity for us to look at those differently. So I think that that’s really important for us and the sustainability of processes that we’ve seen, that’s a new dynamic all its own. So how do you keep on top of that?
I try to keep in mind, what are the headliner messages in the audit plan? An example of this is a culture audit. You talk to a business head or the CEO about a culture audit, everybody gets nervous. We’ve got so many more risks going on, why are we looking at culture? Well, there’s a framework and there’s certain jurisdictions around the world that have laws on this. This is now the new norm. What I do find is if we’re doing first-time audits, we should make that known to the board when we deliver the plan and to the business heads when we’re talking through our plan and when we’re issuing reports. If this is a first-time audit, we should say that. If you do a first-time audit and they come out well, that’s a strong statement. If it’s a first-time audit and things were bumpy, I’m not sure people would be terribly surprised. But it’s a new kind of call to action.
Carl Hatfield, Protiviti: Around company transformations and emerging technology, with organizational change management and M&A activity it’s important to understand how the organization is changing and how it will be utilizing some of the newer technologies — cloud, IoT, blockchain, AI. All these newer technologies organizations are starting to roll out, looking at it not just from an overall impact, whether it’s operational or financial, but certainly reputational aspects.
We’re really focused on AI as organizations roll that out, whether it be on insurance claims decisioning system or other areas within the business. Now it’s ChatGPT and what are we doing about that? What’s their policy? How are we protecting against it? Et cetera, et cetera. Those are the types of emerging areas of risk coverage.
Process mining technology is something organizations are looking to adopt both operationally within internal audit to really look at data to see how a process works. Why do we get an invoice and then go create a vendor? That’s probably not the way it’s supposed to work. There’s lots of other examples, but process mining technology is really something that organizations are focused on.