By: Farah Araj

In an exclusive interview, Internal Auditor Middle East connected with Martin Wiedemann, CIA, CQA, a Partner based in Germany and EY’s Internal Audit Services Leader for the Europe, Middle East, India and Africa (EMEIA) region.  Martin has over 25 years of experience providing assurance and advisory services to leading local and international companies.  He also has experience living and working in the Middle East having established and led EY’s Risk Advisory Services in Qatar.

Photo - Wiedemann Martin

Martin’s leads various EY teams providing outsourcing and co-sourcing services for Internal Audit functions in automotive, chemicals, utilities and manufacturing sectors. He has also led strategic performance reviews for the internal audit departments at major companies located in Germany, Russia and the Middle East as well as internal audit transformation programs in Europe and Asia.

Finally, Martin is an active supporter of the Institute of Internal Auditors as well prominent speaker at local, regional and international events.

Internal Auditor Middle East connected with Martin Wiedemann during his most recent trip to the United Arab Emirates.

What do you think are top challenges that our stakeholders are dealing with these days? 

Digitization is the number one challenge our stakeholders are dealing with.  Internal audit’s stakeholders will continue to deal with many challenges such as achieving the organization’s growth targets, reliability of financial reporting, optimizing the supply chain, complying with complex regulation and other challenges.  But these days they think about all these challenges in the context of new technologies and the potential disruption of their business model.  For example, when it comes to growth targets, CEOs think about how they can use technology to create new revenue channels. Similarly, CFOs would ponder the impact of blockchain on the intercompany transactions and other financial reporting areas. This means that the business processes of organizations will change and with that will come a new set of risks. However, the classical risk universe won’t go away; it will be enlarged by an onslaught of digital risks.

Given these challenges, what is the value that stakeholders expect to get from their internal audit function?

Stakeholders are expecting us to audit these digital risks as well as audit the digital agenda. Further, boards are asking internal audit to identify risks that are not on the board’s agenda nor on management’s radar. This means supporting risk identification and not just focusing on auditing management’s mitigation/response to risk.

In addition, there is an expectation to limit the amount of time spent focusing on the past.  Internal audit needs to focus on the present and provide advice on risks before they occur by getting involved at the right time. There is limited value coming in after the fact and telling management about what went wrong on a completed $10 million project. Most likely they already know what went wrong.

Finally, the somewhat surprising trend we’re seeing at several major organizations is that stakeholders are asking internal audit to challenge the business to see if they are doing things the right way. Let’s take a strategy audit as an example: It’s not just about looking at the strategic planning process and how well the execution is going, it is now about asking “if we use strategy #1 will it work given our organizations’ processes, risk and control frameworks?”. Here internal audit challenges the way strategy is put into reality. All that being said, internal audit will still need to make sure it gives appropriate attention to core assurance areas.

Some of the best chief audit executives are like sparring partners to senior management; it’s someone they trust and who can challenge the way they are managing business risks.

So how can internal audit functions align their team, methodology and outcomes to these expectations?

This requires a significant change in the skill sets of the team and the tools used by the internal audit function.  The skill set at leading internal audit functions have already been evolving. Looking back at audit functions I worked with 15 years ago, the majority of team members had 5 or less years of experience.  Today, these same functions have evolved to include a majority of team member with 15 – 20 years of experience. These team members are able to challenge the business in a way that someone with 5 years of experience can’t.  Also the reality in many organizations is that the likelihood of a recommendation being accepted when put forward by a senior team member is higher than when a less experience member puts the same recommendation forward. This skill model doesn’t mean that junior team members are not required, it just means that they cannot form the backbone of the internal audit function.

As for the tools, internal audit obviously needs to go digital to keep up with the business. This means efficient analytics delivery and optimized operations through further process standardization.  In today’s world almost all processes leave a digital footprint that can be audited.  This means less time to execute the work but also better quality findings as 100% of the population has been audited. But going digital is more than mining for data around duplicate payments or duplicate addresses in the supplier master data. It also needs to address the present (with real time analytics) and the future (using predicative analytics). In addition the internal audit department needs to digitalize / automize their own processes as much as possible. This means the split if work between the “Human” and the “Machine” needs to be redefined. The human focusses on the qualitative part of the work, defining the questions which need to be asked by the auditors in the course of audits. The machine is then used as much as possible to collect possible answers but it is again the Human who decides about the quality of answers.

How does the mandate of the internal audit function impact the value that it delivers to stakeholder? For instance may functions still have a SOX only or compliance only mandate.  

The mandate of the internal audit function to give an independent assessments and to be the third line of defense is fundamental and will not change, however it is what internal audit looks at that is changing.  What internal audit departments look at drives their perception and value.  This is partly due to the mandate and partly due to capabilities of the internal audit team.  High performing internal audit functions are like fine German cars while other departments look more like wagons. There is also the scenario of German cars being used like wagons and that would be the result of the limited mandate.  Some stakeholders don’t really care about the full potential of an internal audit function and focus internal audit’s efforts mainly on ICOFR or compliance.  This is short sighted thinking by stakeholders: they must look to build the internal audit function an organization really needs rather than the internal audit function they want to have.  There is a role for the CAE to educate stakeholders about the full potential of internal audit and the horsepower it has under its hood!  CAEs need to invest in new ways of working and show innovative results.

Some CAEs may be in a sort of Catch-22 situation: they don’t have the right resources to add value so they are unable to add value and when they ask for resources they don’t get them because they are not adding value!  The CAE, through education or innovation, needs to break out of this box and present a different value proposition. Find out what others are doing and educate stakeholders to remain relevant. Get buy in for a proof of concept for analytics or for a high value audit.  Doing nothing leaves the CAE at risk as day a new and more forward thinking Audit Committee may come on board and then the CAE will be viewed as someone who is out of touch with modern times.

Many CAEs struggle to stay close to the business and keep up to date with all the changes and initiatives happening across the company. What advice do you have for them?

There are two dimensions to this. The first relates to getting formal access to the right people and reports. This is a way to keep up to date and if you’re not able to get access then such an issue would need to be escalated.  The second dimension relates to having a seat at the table.  This is where many CAEs struggle and I would attribute it largely to management’s perception of internal audit. This perception comes about when internal audit has not been able to demonstrate that it understands the business or does not discuss topics that are applicable to management’s agenda.  The more value internal audit demonstrates the more likely the CAE has a seat at the table.  With increased value you get increased acceptance of the function and hence you get more budget and more authority.

I would recommend that CAEs start with 1 to 1 meetings with key stakeholders, use the Audit Committee and CEO to set the right tone and push for the appropriate access.  The onus then falls on the CAE to listen, adapt the audit plan and add value accordingly.  The harsh reality is that if you as a CAE are not able to get that seat at the table after persistent tries, then it would be wise to consider alternative employment as you will not be successful in the long term.

Finally, how can CAEs know whether they are adding strategic value to the business? 

The most important metric to measure this is whether the CAE receives requests from management asking for internal audit support to provide advisory or even assurance services. These would come not just from the second line but also from a broad spectrum of senior operational leaders. Similarly, consider whether the business calls you and consults with you. This is critical as it goes back to my point on having experienced auditors with industry experience.

Another approach is to just go and ask your stakeholders if you’re adding strategic value.  They should be senior enough to give you honest feedback.  Also, I’d say take a step back and look at what is important to the organization and then look at what you’re doing as an internal audit function. If they are aligned then you’re probably adding value!

Finally, if I have to leave your readers with a couple of parting thoughts, they would be:

  • Address risks and topics beyond today’s scope (including digital risks); and

Focus on becoming an agent of positive change within your organization.