With these new responsibilities Shayne Gregg, an enterprise risk partner at Deloitte & Touche LLP in Vancouver with 20 years of risk consulting experience, said he believes it's time for CAEs to become strategic business partners with the C-suite. He added, however, that the "new" CAE must not only bring business management acumen to the role, but also must be technologically hip enough to deploy the latest tools to ferret out a wide range of risks facing corporations.
SearchCompliance.com Executive Editor Ed Scannell caught up with Gregg to get his thoughts on solutions to a number of problems facing CAEs face, including how to be a less threatening presence to the C-suite by creating a culture of transparency and not a culture of fear.
What is the role of the chief audit executive, and why is it becoming more
Gregg: The chief audit executive's job has recently become an important executive role. The driver of that have been the boards of directors that own the audit, risk and compliance responsibilities for the organization from an oversight perspective. Boards want an individual that reports to them directly or on a dotted line, but who also reports to the chief financial officer [CFO]. This was to ensure that management is aware of all risks and control efficiencies. The job has also acquired a number of new responsibilities like helping support external auditors, looking at financial processes throughout the organization to identify risks and, as distributed technologies grew, examine the quality of the controls around technologies in satellite environments.
Have the corporate scandals of the past decade helped elevate the CAE's role?
Gregg: Absolutely. There have been some fundamental defining moments that have changed the role of those in internal audits. The increased growth and regulatory oversight came to a head with Enron and WorldCom and the introduction of SOX [the Sarbanes-Oxley Act]. SOX basically said, “All that stuff you have been doing as best practices, that now needs to be reported back to a regulator." So suddenly the role became important because now these people [CAEs] were keeping the CFO and COO out of jail.
Yet you believe that chief audit executives are still not working as closely as they could
with the C-suite. Why is that?
Gregg: Generally, organizations were overwhelmed when SOX came in and so they appreciated the role CAEs were playing in exposing risks. But the CAE's role is one that brings a lot of negative messaging, too. There is no such thing as a fun audit. You are the constant bearer of bad news.
How do CAEs solve this PR problem they have inside their own companies?
Gregg: Well, some internal audit departments have figured out how to spin that and make it a positive message about proactively managing risk. But chances are the CAE is not at the forefront of the strategic decision making; they are typically at the back end. Management only wants them to come and tell them if something looks scary, as opposed to asking them what they think they should be doing about. say, acquisitions. Internal auditing is at a crisis point in some respects. It is at a point where people other than auditors using technology are finding risks faster and bringing them to management's attention before the auditor. If that continues, auditors can become redundant quickly.
How do you see the relationship these days between CAEs and IT directors? Does it need to be
Gregg: Absolutely it needs to be tighter. In most organizations there is either an adversarial relationship or merely an awareness of each other. If the CIO and other C-suite executives are working closely with the CAE, then it is likely they have already assessed their own risks and knows where they are and aren't in control of risk. They likely have had a frank discussion with internal audits and offered to work together on areas that need tightening. So in that sense, internal audits can be an ally for IT, they could lobby with upper management to get them more budget. But others are adversarial, which is not the best way to go.
What advice can you offer organizations looking to build a better internal auditing
Gregg: First, it is about empowering the business. Rather than treating the business as something that needs to be audited, like the IRS coming in, which creates a culture of fear, it is better to create a culture of partnership and transparency, being careful that you are not losing your independence or integrity. The other thing CAEs can do is use technology better. In general, CAEs have been really slow to adopt new technology. Maybe that's because their budgets won’t allow them. But if you are looking for risk in an organization, there are a lot of places technology can help you find it.
So suddenly the role became important because now these people [CAEs] were keeping the CFO and COO out of jail.
Shayne Gregg, enterprise risk partner, Deloitte & Touche LLP
How robust is auditing software these days?
Gregg: It's still pretty nascent. There are some software companies that have been around for 10 to 15 years and really focus in on this sector and have a good grasp of it. But there are many more that just hover around it and say, ''Well you can sort of use our product for [auditing], but it does these other things.'' But management is starting to come around and see the value in these auditing tools.
Are social media tools, along with edge computing trends, complicating CAEs’ lives these
Gregg: Yes, the volume of data is phenomenal. We capture far more metadata and nonfinancial data than just the core financial data now. But there is just as much need for that data to be accurate. So to put your arms around this problem you really have to use technology to make sure all this data going into the system has integrity.
You believe the CAE's role is a natural steppingstone to the CFO's office? Why?
Gregg: There is a tremendous shortage of strong financial talent in the world, so there is the supply issue. In most countries, the demand for CFOs far outstrips the number of people graduating from CPA programs. Plus, the CFO today is really an executive management role and less of an accounting role. So the CAE, being one of the few people that must look into every corner of the company for risk issues, is pretty qualified to step in as CFO to run the business.
Let us know what you think about the story; email firstname.lastname@example.org.