The evolution of the Internal Audit mandate

1 June 2023
Dirk van Bastelaere Communication Manager CFO Services Connect on Linkedin

Interview with Annemie Pelgrims, Expert Practice Leader Risk

The scope and objectives of Internal Audit have expanded over time to adapt to emerging risks, regulatory requirements, and evolving business needs. 

In this longread interview, Annemie Pelgrims, Expert Practice Leader Risk at CFO Services in Pragmatic Advisory & Implementation, explores the evolving role of Internal Audit. With her extensive expertise in internal audit, internal control, and risk management, and a keen eye for emerging challenges, Annemie sheds some light on how the Internal Audit function can be transformed to meet the changing demands of the business. 

Asked for her BHAGs for 2023 and beyond, she says she wants to motivate people to become internal auditors, and she will further enhance the role of internal audit as a trusted business advisor.

A transformative experience

Annemie, can you tell us something about your background and how you ended up in internal audit?

Annemie Pelgrims: ‘I have a master's degree in applied economics. Like a lot of young graduates, I started my career in external audit at a Big 4 company, assessing organizations’ financial statements and disclosures.

‘While it provided a strong background, I realized I was more interested in improving processes, to support organizations in meeting their objectives. Within external audit, your main focus is on the correctness and completeness of the financial statements of an organization. This led me to shift to consulting, specifically internal audit, where I could support organizations with the improvement of their strategic, operational, compliance, and financial processes, both in the public and private sectors. In internal audit, you get to experience all the ins and outs of a company. Working with various companies, I gained broad experience in internal audit, internal control, and risk management.

‘Later on, I had the privilege of developing and managing the Internal Audit function at an international automotive company. In this role, I collaborated closely with the business to identify opportunities for process improvement. We were responsible for conducting rolling risk assessments; we developed and executed the annual internal audit plan using data analytics; and we reported to the audit committee and senior management.

‘The majority of our internal audit plan consisted of high-impact internal audits, where you closely work together with business experts and are able to provide new insights to management and the audit committee. I truly embraced this role of a strategic business advisor, working alongside the business and management, providing pragmatic advice and support to help the organization achieve its strategic, operational, financial, and compliance objectives.

‘This experience proved to be transformative, fueling my passion for internal audit. In my current position, I am dedicated to changing the perception of internal audit from a policing function to a strategic business advisor. My aim is to support organizations and their Internal Audit functions in evolving their mandates and delivering valuable insights to drive positive change.’

I am dedicated to changing the perception of Internal Audit from a policing function to a strategic business advisor

Annemie Pelgrims, Expert Practice Leader Risk, CFO Services

Internal Audit: Operating within the given boundaries of the mandate as an assurance provider

Where does the perception of Internal Audit as a compliance function come from, and why aren't organizations aware of the potential advantages of Internal Audit as a business advisor?

Annemie Pelgrims: ‘The perception of internal audit as a mechanistic or compliance function stems from its traditional role as an assurance provider, primarily focused on assessing process compliance. This narrow view limited the exploration of its broader possibilities. However, with the current business disruptions and shifts happening, organizations are starting to recognize the potential of internal audit in assessing and mitigating the risks associated with these disruptions. As they become aware of these possibilities, they can embrace a more advisory role.’

Is it more common for the Internal Audit function in Belgian companies to be seen as a policing function than it would be in international companies?

Annemie Pelgrims: ‘The distinction between Belgian and international companies is not significant in this regard. However, it is common for traditional Internal Audit functions to be perceived as police officers, focusing solely on identifying internal control deficiencies without t actively contributing to business improvement. 

'To truly fulfill the role of a business advisor, internal audit needs to be positioned differently. By obtaining the approval of audit committees and boards, internal auditors can engage with the business and conduct rolling risk assessments, using data analytics, which enables them to audit emerging risks that are top of mind with management, boards, and audit committees. The execution of such high-impact internal audits addressing emerging risks will provide valuable insights that lead to business improvements and changes within the organization.’

Did the lack of strategic thinking among internal auditors in the past contribute to the perception of their compliance role? It seems reasonable to assume that if you are assigned a specific role, such as providing assurance, you may simply comply with expectations.

Annemie Pelgrims: ‘In the past, internal auditors often operated within the boundaries of their given mandate. Approximately two years ago, the pandemic prompted companies to rethink their strategies and consider how internal audit could support necessary changes.

‘The role of internal auditors, particularly the Internal Audit Executive, has expanded, allowing them to contribute beyond their basic responsibilities. If you have a seat at the table during strategic business meetings, are involved in the execution of large projects, and provide support with the execution of enterprise risk management exercises, you gain deeper insights into the emerging risks your company faces, and you can build your audit plan on that. This increased exposure enables them to transition into an advisory role.

‘Additionally, leveraging data and collaborating with the business and management on how to use that data within internal audit and the broader company further enhances the auditors' ability to serve as advisors.’

Presenting your case to the Board

How do you present your case to a board or audit committee, convincing them that a strategic shift toward an advisory role for Internal Audit can be of crucial importance for the company?

Annemie Pelgrims: ‘Well, we always start with the development and implementation of a rolling risk assessment, continuously conducted throughout the year to ensure emerging risks impacting the organization's strategic goals are included in the internal audit plan. As auditors, we have the opportunity to gather insights through interviews with various business units, analyze data in the ERP system, and conduct market research to identify emerging risks that are pertinent in today's business landscape. One prime example of such a risk is cybersecurity, which has become a top priority across industries.

‘Once the risk assessment is complete, we present the findings to senior management, including the C-suite, and the audit committee. During this presentation, we highlight key risks the company is facing and propose two possible approaches. Firstly, we ask if management prefers looking into these risks themselves, or if they think Internal Audit should assess the risks in detail through the execution of high-impact internal audits.

‘Alternatively, we propose involving business units directly in mitigating these risks, while we offer our support and guidance throughout the process.

‘For instance, in the case of cybersecurity, we suggest including a cybersecurity expert in the internal audit team to provide expertise and insights during the preparation, execution, and reporting of internal audits. This expert will also collaborate in developing recommendations and can assist in their implementation. It allows for the Internal Audit function to transition into the advisory role we are talking about. The focus is on advising the business on improvement strategies and providing pragmatic support with the mitigation of risks.

‘The key to this approach lies in the initial rolling risk assessment, which includes the identification of emerging risks, and the alignment of our assessment results with the organization's strategic goals.

‘However, there is a common challenge faced by in-house Internal Audit departments. Typically, an internal auditor is a generalist. They often possess a broad understanding of various strategic, compliance, operational, and financial processes but lack specialized expertise in domains such as cybersecurity, supply chain, or finance transformation.

‘This is where Pragmatic Advisory & Implementation steps in. We can help Internal Audit teams by providing TriFinance experts who work alongside the internal auditors, combining their domain knowledge with audit standards. For example, a TriFinance cybersecurity expert, a supply chain expert, or a finance expert will collaborate throughout the audit process, providing valuable input during the preparation, execution, and reporting of the so-called, high-impact internal audits. Furthermore, they can actively support the business in implementing the recommended improvements. By doing so, we install a holistic understanding of risks, all the while enabling effective recommendations.'

Creating impact through data analytics and high impact internal audits requires a foundation of continuous risk assessment to develop a risk-based audit plan

Annemie Pelgrims, Expert Practice Leader Risk, CFO Services

High-impact internal audit: creating an AHA-Erlebnis

Do you have an idea of the current situation of Internal Audit departments in Belgian companies, and what are the factors to consider regarding the advisability and size of establishing an in-house Internal Audit department?

Annemie Pelgrims: ‘In comparison to external audit, internal audit is not mandatory for private companies. However, listed companies on stock exchanges throughout the world, such as the New York Stock Exchange in the US, require an Internal Audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal controls.

‘Although these regulatory requirements are not applicable to private companies, organizations find it highly advisable to have an Internal Audit department and either establish an in-house Internal Audit department or outsource it to an external service provider.

‘Alternatively, you can build your own in-house department and, for certain topics, look to an external service provider for assistance. We can, for instance, support companies with the execution of a rolling risk assessment, the development of a risk-based internal audit plan, and the performance of high-impact internal audits that bring about an AHA-Erlebnis with management. We can also leverage data analytics throughout the internal audit lifecycle, which is especially useful for the execution of rolling risk assessments, full population testing during internal audit preparation and fieldwork, and continuous control monitoring purposes.'

Interesting! An AHA-Erlebnis. Can you give an example of that?

Annemie Pelgrims: ‘Aha moments can be created by executing high-impact internal audits in areas where the audit committee or C-suite may have limited insights, often in relation to emerging risks. 

‘By leveraging experts and using data analytics to enable full population testing, we can provide new information to the audit committee. Cybersecurity audits, including penetration testing, often uncover surprises and generate discussions with the board and executive management.

‘Surprises can also arise in more typical processes like the Procure-to-Pay process, where we often execute a value leakage internal audit, resulting in direct cost savings and recoveries, the realization of due discounts and rebates, contract management efficiencies, and, of course, internal control improvements. This high-impact internal audit is enabled through the use of advanced data analytic techniques and is always executed in collaboration with a TriFinance expert.

'Creating impact through the use of data analytics and the execution of high-impact internal audits starts with the execution of rolling risk assessments. If you don’t do that, you will not identify and execute those high-impact audits and will not create an aha moment with management, C-suite, and audit committees.’ 

Let's talk about Risk

You already mentioned cybersecurity. Are there any other emerging risks that highlight the need for companies to look toward their Internal Audit departments for effective mitigation?

Annemie Pelgrims: ‘In the 2022 TriFinance survey, C-level executives identified several risks, with the main one being the talent crunch. Many companies still face difficulties in finding suitable employees for key positions. Other significant risks mentioned during the TriFinance survey were recession and inflation.

‘The talent crunch is often identified as a key risk during risk assessment exercises, for which we propose to execute high-impact internal audits addressing HR-related topics, such as an internal audit focusing on retention. This internal audit is executed in close collaboration with the business, by assessing the talent management strategy and company culture in relation to the retention rates and talent development initiatives, to ensure employee stability. For this type of audit, we involve experts from our TriHD business unit, to ensure their expertise is taken into account during audit preparation, execution, and reporting.

On the other hand, conducting audits or providing added value as an internal auditor for risks like recession and inflation, which are market dynamics, can be challenging. Nevertheless, we see that many companies focus on value leakage audits, to identify potential leakages within the company. By uncovering these leakages and implementing measures to mitigate them, we can assist companies in recovering losses and addressing the root causes effectively.

Regarding global supply chain disruptions, which was another top-five risk, we collaborated with certified supply chain experts within our company to support the Internal Audit function during such high-impact internal audits. Our internal audits encompass production and supply chain planning, logistics & transportation, and procurement processes.

‘We can start with supply chain planning, examining how production planning aligns with the supply chain, and identifying any issues. Additionally, we assess procurement fundamentals, ensuring an adequate supply of critical raw materials to prevent disruptions.

Essentially, we analyze the entire supply chain. By involving supply chain experts, we identify risks at key points that may cause disruptions. We then propose action plans to management to mitigate these risks. And again, our experts can also assist with the implementation of those action plans.’

The building blocks for Internal Audit enhance the Internal Audit function by incorporating emerging risks, focusing on high-impact audits, leveraging technology and data analytics, and promoting continuous reporting to drive positive change and support strategic decision-making

Annemie Pelgrims, Expert Practice Leader Risk, CFO Services

Building blocks to support the Internal Audit function

To support the Internal Audit function, you have developed a method that uses building blocks. Can you elaborate on that?

Annemie Pelgrims: ‘

The building blocks are designed to support the Internal Audit function, specifically the Chief Audit Executive, in their role as a strategic business advisor. There are three key building blocks that facilitate this transition.

‘The first building block is a rolling risk assessment conducted throughout the year to build a risk-based internal audit plan This approach ensures that all emerging risks are identified and incorporated into the internal audit plan. By maintaining a risk-based approach and focusing on emerging risks, internal audit can effectively support the shift in the mandate.

‘The second building block involves conducting high-impact internal audits. To ensure internal audit is perceived as a valued business advisor, an internal audit plan should include high-impact internal audits beyond the traditional scope, addressing emerging strategic, operational, financial, and compliance risks that are top of mind with the Board and management

‘Lastly, data analytics play a vital role in supporting the Chief Audit Executive's function. By leveraging available data within the organization, internal audit can develop continuous control monitoring dashboards to use throughout the audit lifecycle, from the rolling risk assessment to the reporting of audit observations to management and audit committees

‘By facilitating full population testing instead of relying on sampling, data analytics helps internal audit create impact as it highlights risks and control deviations for the entire population. Unlike the traditional compliance-driven approach that only examines a subset of data,, full population testing can have a significant impact and will convince management to take action to mitigate identified risks. This approach ensures that risks manifesting across the entire population cannot be overlooked or dismissed.

‘Finally, continuous control monitoring and reporting are essential. Monitoring data and identifying instances where internal controls are not being performed provide an opportunity to collaborate with the business and address these risks effectively.

‘In summary, these building blocks enhance the Internal Audit function by incorporating emerging risks, focusing on high-impact audits, leveraging data analytics, and promoting continuous control monitoring and reporting to drive positive change and support strategic decision-making.’

As a strategic business advisor, an internal auditor can also assess processes that may not be fully described or lack general controls.

Annemie Pelgrims, Expert Practice Leader Risk, CFO Services

Process mapping and process mining to identify areas for improvement

When it comes to internal audit, how crucial is the end-to-end transparency of processes and their documentation, ensuring that internal auditors have access to check if controls are being performed?

Annemie Pelgrims: ‘Traditionally, internal audit focused on auditing processes with documented controls in place. However, as a strategic business advisor, an internal auditor can also assess processes that may not be fully described or lack general controls by applying a risk-based approach. This can be achieved through interviews, process mapping, and the use of data analytics tools like process mining. Process mining allows auditors to identify deviations and compare them to expected process outcomes across the entire population, providing valuable insights into what is going wrong. It's essential for an Internal Audit function to embrace process mining and continuous control monitoring.’

So, could this emphasis on process transparency serve as a first step toward process optimization?

Annemie Pelgrims: ‘Absolutely. By mapping the process and using process mining and data analytics, auditors can identify areas for improvement and develop action plans to address observed risks. It becomes a step-by-step process of mitigating issues and working with the business to enhance transparency and optimize processes.’

Would internal auditors advise companies to prioritize making their processes transparent and optimizing them if they identify control failures or gaps?

Annemie Pelgrims: Absolutely, but my advice would be not to wait for complete process descriptions or internal controls frameworks before conducting audits. Use common sense, identify and assess key risks, and start from there. Auditing can be done even without extensive documentation or controls in place if you apply a risk-based approach. It's about taking proactive steps and continuously assessing and improving processes based on the identified risks.’

BHAGs for 2023 - and beyond

Do you have any big hairy goals for 2023 and beyond?

Annemie Pelgrims: ‘Absolutely! One of my BHAGs is to build a highly skilled and motivated team. I want to motivate people to become internal auditors. I believe that exposing people to diverse processes and industries will provide invaluable learning experiences and help them discover their areas of interest. By interviewing experienced professionals with extensive industry knowledge, they can gain insights and knowledge from their expertise.

‘Another significant goal I have is to further enhance the role of internal audit as a trusted business advisor. I firmly believe that in order to demonstrate our value to the organizations we serve, we need to position ourselves in that role. By embracing this advisory role, we can actively contribute to the success of the organization and ensure that internal audit is seen as a valuable partner.

‘To achieve these goals, I will leverage the building blocks and frameworks that we have developed. These include a rolling risk assessment, high-impact internal audits, data analytics, and process optimization. By utilizing these tools and approaches, we can provide valuable insights, drive improvements, and support the organizations we work with in achieving their objectives.’