Beyond the Green Eyeshade: Why Internal Audit is Your Board's Secret Weapon [The IIA]

Show Notes

Internal audit plays a critical yet often misunderstood role in corporate governance. In this episode, Doug Chia is joined by Carey Blakeman and Benito Ybarra from the Institute of Internal Auditors, and Mike Varney from Crowe LLP, to unpack what internal audit actually is, and what it isn’t. They explore how the function extends far beyond compliance, offering both assurance and strategic advisory to help organizations identify and manage risk.

They also discuss why internal audit is uniquely positioned to provide a cross-functional view of an organization and why boards should be engaging more deeply with it, reporting structures, independence, fraud risk, and the evolving expectations of the profession, including insights from Vision 2035. They ultimately make the case for elevating internal audit as a key contributor to effective governance and long-term value creation.

What you'll learn:

• How to move beyond the "police watchdog" perception by adopting a strategic advisory role that aligns internal audit plans with the organization’s long-term strategic goals.
• The critical importance of organizational positioning, ensuring the function reports functionally to the board or audit committee to maintain the independence required for objective oversight.
• Practical ways to oversee the rapid implementation of artificial intelligence by establishing governance frameworks that mitigate the risks of "phantom AI" and ensure technology is deployed in a systemic, structured manner.
• The six essential criteria for an effective internal audit function, including following global standards, maintaining certified staff, and undergoing external quality assessments every five years.
• Why the scope of internal audit is expanding to include global business resilience and sustainability assurance to meet the evolving expectations of diverse stakeholders.

To learn more & get resources:

• Podcast & episodes: www.publiccompanyseries.com
• Download the book: www.nyse.com/pcs

Subscribe now to hear insights from the most respected voices in corporate law and governance.

Chapters

• 0:40: Meet the guests: Carey Blakeman, Benito Ybarra, and Mike Varney
• 1:30: Setting the context: Internal audit’s critical role in corporate governance
• 3:20: Overview of the Institute of Internal Auditors and its global mission
• 8:20: Defining the internal audit function and strategic risk mitigation
• 14:50: Addressing fraud risks and global operational oversight
• 17:50: Understanding “assurance” and updated global audit standards
• 21:30: Vision 2035: Future trends, strategic alignment, and funding
• 26:10: Where internal audit should sit within the organization
• 29:10: The mandate for direct board-level reporting
• 34:10: Regulatory impacts and hiring responsibilities of audit committees
• 37:50: Navigating leadership relationships and transparent communication
• 41:30: Developing effective audit committee and internal audit charters
• 46:20: AI risks and implementation
• 51:40: Essential criteria for audit effectiveness and executive acumen
• 57:10: The role and value of private executive sessions
• 59:40: Findings and key points from the Vision 2035 report
• 1:03:50: Including sustainability and resilience

Transcript

[00:00:00] Doug Chia: Welcome to the Public Company Series Podcast, powered by OnBoard: giving boards the clarity, security, and insights they need to make better decisions and deliver lasting value. I'm your host, Doug Chia. This podcast series is designed to give corporate directors, executives, and governance professionals the insights and tools they need to build boards that are agile, resilient, and prepared for the future.

[00:00:32] Doug Chia: It's based on the book Board structure and Composition, which is part of the Public Company Series published by the New York Stock Exchange and JP Morgan. My guests for today's episode are Carrie Blakeman, director of Corporate Governance Engagement at the Institute of Internal Auditors, Benito Ybarra, executive Vice President for standards and Guidance at the Institute for [00:01:00] Internal Auditors.

[00:01:01] Doug Chia: And Mike Varney, who's the immediate past chair of the Institute's North American Board and a partner at Crow LLP. Carrie, authored the chapter of the book entitled The Value of the Internal Audit Function and The Risk of Not Engaging. And so Carrie, Benito and Mike, welcome to the show. 

[00:01:26] Carrie Blakeman: Thank you for having us.

[00:01:27] Benito Ybarra: Thank you. 

[00:01:27] Mike Varney: Thank you. Glad to be here. 

[00:01:29] Doug Chia: So I'll set the context for today's discussion and then we'll get into the discussion. Uh, one of the most important functions that supports a corporation's governance is internal audit. It's a department with an enormous role when it comes to establishing the internal control environment and a culture of compliance.

[00:01:52] Doug Chia: But internal audit is an area that rarely gets talked about when it comes to corporate governance. So the underlying [00:02:00] challenge that Carrie, Benito and Mike will be addressing today is how can boards gain a common understanding of what internal audit is, the scope of its activities, and how it is distinct from the other functional areas responsible for corporate governance.

[00:02:19] Doug Chia: Many board members have never worked closely with internal auditors, so it's critical for all board members, not just the members of the audit committee, to know how to work effectively with internal audit for the board to fulfill its duty of oversight. The chapter of the book that we're covering today explains in great detail what the internal audit function is and the critical role it plays in corporate governance, including what internal audit functions do, where the internal audit function is organizationally positioned, essential risk oversight, responsibilities of board and audit [00:03:00] committees, what board should look for in internal audit functions, and enhancing the value of internal audit.

[00:03:08] Doug Chia: So with that, let's dive in. Let's start by having one of you give an introduction to the IIA and what each of your roles are. 

[00:03:19] Benito Ybarra: Yeah, thank you. So again, glad to be here. So, um, you know, as far as the Institute of Internal Auditors, we're a global association serving, uh, the internal audit profession. We promulgated global internal audit standard.

[00:03:32] Benito Ybarra: Those are the standards by which audits are conducted, but also by which, um, functions are, are formed, including the functional relationships that we promote. So in terms of the introduction, Doug, you mentioned being a, an integral part of governance. You know, a well-positioned, well-resourced internal audit function reports to the governing body of the organization and their charter, their mandate is approved and set up by that governing organization.[00:04:00] 

[00:04:00] Benito Ybarra: And, you know, in terms of the profession, I'll just dive a little deeper. What we're struggling with is just a general misunderstanding in some cases of what internal audit does and what they can produce, what they can, what they can provide to the organizations they've served. So traditionally, internal audit functions provide an assurance role, and unfortunately, that is sometimes rooted in compliance.

[00:04:24] Benito Ybarra: Which is a part of the equation, but in terms of governance, you know, there's more to it than just compliance, making sure we're doing the right things in the right ways. Internal auditors, because of their position and their insights with regard to how the organization functions, can really help provide valuable information to the governing bodies with regard to how things operate, the maturity of the function, the risks that are evident in the organization, and the capacity and capability of the organization to perform based on that governing body's vision or, or, you know, goals and objectives.

[00:04:59] Benito Ybarra: So, [00:05:00] you know, I'll start off there because the charge of the Institute of Internal Auditors is to understand all of this, really help promote a best in class or world class iteration of internal audit all over the world, and where we see the disparities, the immaturities in some cases, really help promote internal audit in the right way for those governing bodies in those regions.

[00:05:23] Doug Chia: Mike, you've been a member of the organization for a long time, and so maybe just explain from the member side of things, how do you use the IIA and, um, you know, its vast membership? 

[00:05:38] Mike Varney: Hey, thanks Doug, and I appreciate the, the time here today. Um, I'd say to answer your question directly, I think the biggest piece is the network.

[00:05:49] Mike Varney: It probably sounds odd that I'm starting with the network, but, um, as the, uh, past chair, one of my goals and kind of focus was the members. And I think having that connection of [00:06:00] the members with other members gives a lot of power to when you experience something like that's a challenge. So like you're trying to get more engaged from a governance perspective.

[00:06:13] Mike Varney: You have thousands of members that you can reach out to in order to have conversations of, I'm trying to achieve x. How did you address this? What were some of the challenges that you experienced, and then how did you overcome them? And I think that conversation and interaction is huge. But then to just kind of add on top of that benefit is just all the publication information and resources that the IIA puts out there, um, in order to help the membership.

[00:06:48] Mike Varney: So I think it's very much a, a two-pronged approach of the pool of people that we engage with within the profession as practicing professionals, and then all the tools and [00:07:00] resources, the IIA puts out and spends time publishing both through the IIA and through the foundation, through research that helps members even more.

[00:07:12] Doug Chia: And Carrie, maybe explain your role as director for corporate governance engagement at IIA. 

[00:07:19] Carey Blakeman: Yeah. Thank you. And thank you so much for having and hosting us today, Doug. So I help lead the global initiatives, ones that Benito and Mike have both talked about when it relates to corporate governance and really elevating the role of internal audit when we're talking to boards and audit committees.

[00:07:39] Carey Blakeman: So Benito talked about maybe people thinking of internal auditors in a more compliance role or there's confusion out there. So my role is to help take all the great stuff that Benito's teams and the other teams at the IIA, the standards and guidance, our advocacy teams and try to put it in front of the board members and the audit committee members [00:08:00] and really elevate the internal audit profession.

[00:08:03] Carey Blakeman: And I also work really closely with a lot of the firms, other governance associations and our regulators, um, and our national institutes around the world to really, um, strengthen the governance frameworks that also govern corporate governance. 

[00:08:19] Doug Chia: What exactly is internal auditing and the internal audit function?

[00:08:25] Doug Chia: You know, when I was in-house, I worked very closely with internal audit, but before that, in private practice, you know, when it came to corporate governance, it was really, you know, the board, legal, finance and um, the independent auditors. And I didn't learn about internal audit until I got in-house. And I think when people think internal audit, they hear the word audit and they think like it's part of finance, they think auditing, accounting, that kind of thing.

[00:08:58] Doug Chia: And so maybe just [00:09:00] give us, uh, an explanation of like, how do you distinguish one from the other? 

[00:09:05] Benito Ybarra: I think your experience, you know, is shared. I, I used to be a practitioner for almost 30 years before my role here at the IIA and I was part of many organizations where what you describe is absolutely true. In a technical sense, right?

[00:09:18] Benito Ybarra: Internal audit is set up to provide assurance and advisory services at the organization to ultimately make them better. Um, as far as being part of the governance part or, or, you know, process of an organization, you're absolutely right. Sometimes because the word audit comes into play and it's used as an input to the decisions that need to be made and some of the, some of the insights that, that our leaders take with them to the meetings that they have.

[00:09:47] Benito Ybarra: Unfortunately, internal audit is not always invited to those meetings, and that is what I was talking about with regard to being a well positioned and well resourced internal audit function where we do see that happening. We do see firm, [00:10:00] um, positions of internal audit functions within the corporate governance structure of the organizations.

[00:10:05] Benito Ybarra: We don't always see that. And, you know, part of our charge is obviously to ensure that governing bodies, boards of directors, etcetera, understand the potential that internal audit provides beyond just, you know, the compliance function and the, the limited advisory consulting work that they do. Because internal auditors really understand the way the organization works at a detailed level that some executives don't understand.

[00:10:29] Benito Ybarra: You know, because they audit not only functions within our organization, within a silo, but the cross-functional processes that occur at the organization, they understand more about what makes the organization tick and what the risks are to the organization. In producing what they need to produce than again, some of the executives and governing bodies that, that are running the organization.

[00:10:51] Benito Ybarra: So having the internal audit at that table, you know, being part of the discussion, part of the decision making really [00:11:00] does add value where we see it happening, but it doesn't happen often enough. 

[00:11:03] Doug Chia: And, and Mike, you know, as someone in this role, um, you know, when someone kind of an, uh, uninitiated person asks you, well, what do you, what do you do as internal audit?

[00:11:16] Doug Chia: What is that? How do you explain that In layperson's term? 

[00:11:21] Mike Varney: I help organizations identify risks to meeting their strategic goals, and then how do they help mitigate those risks. And I highlight kind of a couple words in there. The first one being risk. So what are those risks that are gonna keep an organization from impacting or achieving their strategic goals?

[00:11:43] Mike Varney: And so then how do you control those? How do you monitor those? And then as I think about from a governance perspective, that's where the board's gonna be concerned. They're gonna be, we have this forward looking objective that we're trying to [00:12:00] achieve. What's gonna prevent us from achieving that? And so I think that's where you, internal audit being that uniquely positioned can bring that, uh, as Benito said, can bring that broad view across the organization of here's where things are happening or could happen that could impact that strategic achievement.

[00:12:21] Mike Varney: And then the second word, you know, risk is the first one, the second one is help. It's in how do we engage with the organization, not with the view of we're the cop on the block, but we're part of the organization, so how can we help do two things: provide some of that advisory to put things in place to help mitigate some of those risks.

[00:12:43] Mike Varney: And then the second piece of our, uh, mandate of provide assurance that things are happening to, to mitigate those risks. 

[00:12:51] Doug Chia: And, and so for internal auditors, um, and chief audit executives, is there any kind [00:13:00] of special training that someone would need to be part of this function? Um, you know, a CPA or some kind of certification?

[00:13:12] Benito Ybarra: Yeah, so definitely, so the certified internal Auditor certification is our flagship certification. And, you know, it, it reflects an aptitude but also an excellence in with, with regard to your understanding of internal audit, um, within it or leading up to it, there are obviously training programs that we offer.

[00:13:31] Benito Ybarra: There's also, um, a syllabus that is, that you can reference with regard to what is being covered on the exam. And it covers everything from the fundamentals of the standards to elements of fraud, governance, risk, compliance, but also how an internal audit should be structured, internal audit function should be structured. How internal audit should be conducted from risk assessment, all the way to communication and dealing with issues with regard to where management doesn't completely agree with your assessments.[00:14:00] 

[00:14:00] Benito Ybarra: Um, and it also includes quality and information technology. So it's a, it's a very broad and deep set of study materials that you would need to, to prepare for the exam. And once you have it, you know, you're recognized as a global practitioner and expert in internal audit. 

[00:14:19] Doug Chia: What about forensic auditing?

[00:14:21] Doug Chia: You know, I've always wondered they are the, the auditors, the financial auditors say, well, we're not here to kind of catch bad things. You know, it's something bad happens, there's an accounting fraud, and they say, well, where were the auditors? They should have caught that. And it was, I'm like, that's actually not really their job.

[00:14:40] Doug Chia: And then the question is, okay, well, whose job is it? Is internal audit part of that or responsible for it or works with others? 

[00:14:49] Mike Varney: It's part of it. We're a piece of that function. And to kind of tie it back to boards and governance functions, one of the roles and [00:15:00] jobs of a governance function is to inquire and ask questions of management and leadership.

[00:15:06] Mike Varney: What are you doing within your day-to-day activities to help identify and mitigate fraud from occurring within the organization? So that's the kind of the role that I've always viewed internal audit plays in is helping the board get an answer to that question. Helping management think about that question.

[00:15:30] Mike Varney: You know, one of the things that we do a lot with our clients is sit down with executive management and boards, and this is gonna sound so simple, but it's just asking the question: where do you think fraud can occur in your organization? And just start there and then kind of go down that list of, okay, well, and I'll pick on an easy example.

[00:15:52] Mike Varney: Stealing of, um, of cash. Okay. How do you control cash? Who can get, you know, just start asking some of these [00:16:00] very simple kind of basic questions and trying to help guide management and the board and assessing those. 

[00:16:08] Doug Chia: And so I guess, you know, you mentioned where in the organization. You know, my experience having worked for multinationals, a lot of it's geography as well.

[00:16:17] Doug Chia: Countries that have come up in the past for me have been Poland, Greece, Russia, China, Mexico, Brazil. And so is that, you know, is that part of what you are covering as well? 

[00:16:31] Mike Varney: Absolutely. And it's funny you kind of asked that question 'cause I have a, a couple clients that have operations in countries that, um, are all always not viewed high on the integrity list.

[00:16:45] Mike Varney: And so that's where we get a lot of questions from our boards. I have a couple clients that have operations in Brazil. You mentioned Brazil on your list it, every year we're getting questions. Okay, [00:17:00] what, what are you doing in Brazil? How engaged are you with the, the management down there? What is management doing?

[00:17:05] Mike Varney: So those are, are questions that they're looking to us. Again, back to that being part of the, the function, part of the fraud kind of process and controls of bringing that insight, given our unique position and kind of broad view across the organization to the board and helping them assess and ask questions in their governance role.

[00:17:27] Doug Chia: Yeah. In terms of geography, since I live in New Jersey, I, I usually add New Jersey to the list of, uh, you know, high, high incidents of fraud. But that's usually a joke. Um. Chicago might be more appropriate. But let me get to something that, you know, that's in the book, which is the word assurance. The word assurance shows up a number of times in your chapter.

[00:17:53] Doug Chia: And assurance is an a word that you also hear in the accounting world, and now the sustainability world as [00:18:00] well. And so what kind of assurance are you talking about when you, when you use this word? 

[00:18:07] Mike Varney: The way we frame it is assurance that what management says they're doing, so if we've got a risk, here's the controls and activities that we're doing to, to help mitigate that risk.

[00:18:22] Mike Varney: It's providing some of that assurance and window into yes, what they're say they're doing, they are actually doing. And we, we've seen evidence of that. Um, but then I think the other piece of that is giving some insight, you know, I'm gonna say this hesitantly a little bit of giving some insight of, well maybe they don't have the risk completely covered.

[00:18:44] Mike Varney: And the reason I say hesitantly, 'cause that's kind of getting in a little bit of that kind of cop on the block assurance that we've gotta sometimes play. But, but it's giving that role and I think Benito, you touched on a bit of where there's potential, maybe disagreement between auditors and management, [00:19:00] but having the, the confidence to say, yes, they're doing something, but they may not have addressed the risk appropriately or as effective as it could be.

[00:19:11] Mike Varney: Um, and being able to have support and the confidence to bring that forward to have that conversation. 

[00:19:19] Benito Ybarra: Yeah. I'll expand on that a little bit too because, you know, one of the key elements of providing internal audit services, providing that risk assessment, you know, for every internal auditor it's a key point of in time for their organization to really

[00:19:31] Benito Ybarra: communicate with all the leaders of the organization, including your governing bodies, your boards of directors, with regard to your sense of the risks of the organization, but to get input with regard to theirs as well. And we've, we've really strengthened that process through the, through the update of the global internal audit standards.

[00:19:46] Benito Ybarra: Because what we've done also is included a strategic element where every internal auditor should create a strategic plan by involving key stakeholders, not just doing it unto themselves. You know, internal auditors for many decades have, [00:20:00] have prided themselves on being completely independent. And we're saying it's time to break away from that.

[00:20:04] Benito Ybarra: There are, there is input that is valuable that we need to consider in conducting our work. So, you know, to, to tie this into the, the question you asked, we really have to provide assurance that the concerns, the thoughts, the insights, the vision of all of these key stakeholders are being taken into consideration when we're doing our work so that we're providing them the assurance that the organization is running well or not.

[00:20:30] Benito Ybarra: But also another key element to the, the updated the standards is performing internal audit work, serving the public interest. That is taking an additional stakeholder into consideration. Your, your customer base, your, the people that rely on you for goods, services, etcetera. The concept is not new for public sector government entities because that's what they do.

[00:20:51] Benito Ybarra: You know, they, they provide goods and services to, to the citizens, the taxpayers, and they have to provide them assurance that those funds are being used appropriately. The [00:21:00] concept is being broadened and included to private sector, publicly owned, uh, organizations around the world. So in terms of providing assurance, it includes that element as well.

[00:21:09] Benito Ybarra: Really ensuring like to bring it back home to what Mike said that the organization is conducting its work with the stakeholders in mind. Doing it in the right way, the way our stakeholders would expect it, but also providing them insights with regard to where we're not doing so well at the organization where we need to improve.

[00:21:28] Doug Chia: Benito, you mentioned the word vision, and I know Carrie, there was a, uh, some reference to something called Vision 2035 in the chapter. Um, and maybe you want to talk about that. Is that an in a new initiative of IIA? 

[00:21:45] Carey Blakeman: So about two years ago, we interviewed through many different ways, uh, surveys, one round tables, one-on-one interviews with over 7,000 global stakeholders.

[00:21:57] Carey Blakeman: So not only internal auditors, [00:22:00] but board members, Benito mentioned the public sector, like people who are working with and for internal auditors and who the internal audit profession is serving around the world. So we really wanted to make sure this was a global report. Um, so this report really dives in to a lot of what Mike and Benito have mentioned, being practitioners or former practitioners and saying, where do, where do we as the IIA and then the internal audit profession see ourselves in 2035?

[00:22:32] Carey Blakeman: And it goes through so much, um, not only about internal audit, but thinking through what support they need from boards and audit committees. How do internal auditors see themselves? How do they think people see them, um, in the different assurance and advisory aspects? And one of the findings that was, um, I mean, we kind of knew it.

[00:22:54] Carey Blakeman: I feel like, um, as people who work in the IIA and very closely with the [00:23:00] profession, that we do need to start expanding into this advisory aspect and really figuring out how to upskill, um, the internal audit profession as Benito mentioned. It is allowed in the new standards. And thinking through that.

[00:23:14] Benito Ybarra: Yeah, I mean, just to, to, you know, support what you said. Basically, it was a research study that produced a gap analysis for us. You know, what we need to focus on as an association, the IIA, but also as a profession. Where do we want to be? Where do we see the profession in 2035, and what are some of the risks, you know, in the auditor terms that we need to address to, to get to a best state.

[00:23:36] Benito Ybarra: So the perceptions of internal auditors came up as, as still mixed. You know, we're seen as police watchdogs in a lot of instances. Something that, you know, we need to break away from. We're more than that. Um, the embracement, the embracing of technology was seen as a weakness, you know, where we see AI, especially having entered the, the sphere for all professions, we see huge impacts to the profession

[00:23:59] Benito Ybarra: if we [00:24:00] don't change the way we do things, if we're just focused on compliance work, that can easily be programmed and we can easily, easily be replaced. So being more strategic, more visionary, more included in the governance aspects of an organization is very important for us too. 

[00:24:15] Mike Varney: The survey just firmly pointed out, we get tied up on this word of independence, but we always forget in the standards, independent and objective assurance within, and I, I tend to very much focus on that objective word, which then to kind of tie that back into the vision 2035 and what you've heard Carrie and Benito talk about, of being more advisory, being more strategic within the organization, engaging across the organization, given that we're independently positioned, it allows us to bring that objective view and kind of be that, [00:25:00] um, person at the table of just asking and providing advice of, well, have you thought about this? What about, you know, some of those things because you're we're bringing a broader view, um, across the organization. So I think that's one thing that very much came through for me within the vision 2035, is being that strategic alignment, being more engaged in that advisory.

[00:25:24] Mike Varney: And then I think the, the, the tag onto the back of that was the upskilling of our, of our teams. Um, which then also ties into the strategic goal of internal audit. So it used to be we would go into finance functions, hire an accountant, bring the accountant into audit, and off we would go, well, it's very clearly showing that's a piece of it, but now what about operational type items?

[00:25:53] Mike Varney: And then the big one that's come out now and, and is, as everybody would expect, is technology. So [00:26:00] what technology competencies do we have within our function to help engage with the organization and provide both that assurance and, uh, consultative nature? 

[00:26:11] Doug Chia: Where does internal audit, the function, sit in the organization?

[00:26:16] Doug Chia: You know, does it necessarily report to the CFO or compliance or legal? 

[00:26:23] Benito Ybarra: Yeah, I mean, what, what I'll say is, you know, what we promote and what is in the standard is that the internal audit function reports functionally to the highest level governing body. So in terms that we most often talk about as boards of directors, right?

[00:26:36] Benito Ybarra: The boards usually delegate that responsibility to audit committees. So that's where we like to see the internal audit function report to. Administratively, there's a dotted line, and we promote that dotted line being to the CEO because the CEO has the responsibility of reporting to the board of directors themselves.

[00:26:55] Benito Ybarra: So just through that, right, there's a shared knowledge and and [00:27:00] perspective from the board that both the Chief Audit Executive and the CEO would share, but also, you know, they have a broader, the CEO has a broader charge in the organization than would a CFO who could be focused on the financial aspects of the organization, the controls with regard to finance and limit the internal auditor's, you know, view and vision with regard to what they audit at the organization.

[00:27:25] Mike Varney: There's kind of, I would say, three models. There's the fully, what we would call in-house model to where everybody's employees of the organization directly and then kind of aligned to that reporting function that Benito just laid out. But then there's two other types, and this is where I get heavily involved within the market space, is the co-source arrangement, which where you have a chief odd executive,

[00:27:52] Mike Varney: but in order to kind of strengthen and build out their team, they'll go to an outside provider, a professional service firm, [00:28:00] um, to co-source with. And that can take many functions. And typically within a co-source, you report into the chief audit executive. And then that kind of flows, that function that bonito laid out.

[00:28:11] Mike Varney: But then there's the other other piece for multitudes of reasons, you know, size of organizations, geographic dispersion of, or of organizations, the full outsource model. And that's where somebody like myself in theory, would have the, the role of Chief Audit Executive. And in that role, I would report up through, you know, similar to a direct kind of functional line to the audit committee and then, um, a dotted line to the CEO or CFO depending on how the organization is structured.

[00:28:45] Mike Varney: So that's another way to, another type of model, but still it holds to that core function of independently position with a reporting function to the governance and then a functional within the organization. [00:29:00] 

[00:29:00] Doug Chia: And so, you know, in the book you say, no matter the model, internal audit must report directly to the board for the function to be truly independent and effective.

[00:29:11] Doug Chia: Um, and you know, you mentioned the audit committee and you've talked about independence a lot, Benito is this idea that the internal audit function must report to the board, is that a regulatory requirement? 

[00:29:26] Benito Ybarra: No, it's in our standards. So, um, the thought there is that in order to really produce the work that we need to, we need to have the access to the re to the people, the data, the report, the facility, everything that we need to, to provide that assurance that we need to provide to the governing body.

[00:29:45] Benito Ybarra: I've seen cases where, you know, worst case scenario in my history, a chief auditor reporting to an accounting manager, which is like four levels down from where we wanna see that. And obviously their perspective is limited, their [00:30:00] ability to access records, etcetera, is limited. And that doesn't provide a best in class situation for an internal audit function.

[00:30:07] Doug Chia: And, and so you mentioned the standards and here's, uh, you know, one area where if the board is not aware of the standards, then they, they have no idea that that's, um, you know, what you were saying is maybe not even, not best practice. Not, maybe not even Okay. Practice. And so in terms of the standards, how much do board members, uh, need to know?

[00:30:31] Doug Chia: I don't know how extensive these are and how granular it gets, but Yeah. As a board member, what would they wanna make sure they understand about the IIA standards? 

[00:30:44] Benito Ybarra: Yeah. So this is where it's become incumbent upon our Chief Audit Executives to take the message to the boards. So I mentioned the updates to the standards.

[00:30:52] Benito Ybarra: Part of the update is what, what I'll term as domain three of the standards, which, um, calls on the board of [00:31:00] directors to set up the function by issuing the mandate with regard to what the internal audit function is doing at the organization. And they approve that mandate. So that provides for the, the structure, the resources, the capacity, capabilities that they have, etcetera.

[00:31:16] Benito Ybarra: And that doesn't exist at every organization. And to, to your question or your point, if the board doesn't understand what an internal audit function can do, they're not going to include them in any sort of governance discussion or rely on them for any sort of meaningful work other than the one-off audit report that gets to their, their desk on a quarterly basis, for instance.

[00:31:38] Benito Ybarra: So setting them up to, to issue that mandate, set up the audit, audit function is really meant to boost the knowledge and understanding of the boards with regard to internal audit. And again, we rely on our Chief Audit Executives to do that because in conforming with the standards that would be checked.

[00:31:54] Benito Ybarra: So every five years, an organization that wants to conform with the IIA standards has to get a, a quality [00:32:00] assessment. And this would be one of the elements that would be reviewed and assessed whether or not they have a mandate that would be approved by the board and, and the, the communication coordination that happens with the board of directors.

[00:32:12] Mike Varney: Um, you know, I think Benito provided a great summary of an approach to it. But, you know, kind of a, a tactical example, there's quarterly board meetings around the quarterly filings. Um, and if the audit, if the audit function is properly positioned, they should be attending to those audit committee, committee members and part of the presentation.

[00:32:33] Mike Varney: And so what we do within most of our client bases, we've got our, you know, here's what's going on, here's what we've done to the plan. But then we also put some information around just education to the board. So, and this could take a lot of forms. One of the forms is, here's an update to the standards and here's areas to highlight in the standards.

[00:32:56] Mike Varney: Other things is, here's risks that we're seeing within our industry [00:33:00] that's on the horizon, or here's what we're seeing within the market. So that's a, a easy kind of tactical way within public companies to start kind of embedding some of that education and learning. And then one other, Sarbanes Oxley

[00:33:15] Mike Varney: like anything, um, in the world's kind of a double-edged sword, when Sarbanes actually came out, it definitely had a positive impact on internal audit in the, in the profession of put a lot of kind of, uh, highlight to the, to the function. A lot of highlight to the, to the ability of the profession. But

[00:33:38] Mike Varney: there was a negative side to it. So now a lot of times you see where it's been very much financial focused, internal audits of financial function. Um, and as Vision 2035 shows, there's a lot of other risks across organizations that are outside the finance function. So I think that's another opportunity for education within the profession of [00:34:00] we're not just a finance function, we do other, we understand other risks and can provide value within those other risks.

[00:34:07] Mike Varney: So that's another kind of educational opportunity. 

[00:34:10] Doug Chia: I'll just give you a, a quick anecdote about Sarbanes Oxley. From my experience, I, you know, I was corporate secretary before that I was assistant corporate secretary who came from private practice. I later on met, uh, Congressman Mike Oxley, who since has passed away and I said, uh, Congressman Oxley, I'd actually like to thank you because without you I, this, you know, it created a job for me and turned out to be a very good career for me.

[00:34:41] Doug Chia: So, you know, I really appreciate that. And he said, well, thank you very much. 'cause most people when they meet me and we talk about the Sarbanes Oxley Act, uh, they're not very happy about that. So you're probably one of the rare people, maybe the only people who's ever thanked me for [00:35:00] this. And I thought about how

[00:35:01] Doug Chia: Sarbanes Oxley actually was, you know, as far as legislation goes, you could say it was a huge job creation act. Um, you know, it created a lot of jobs in our professions and the, you know, bank compliance as well. Um, but I, I think that the, the legislation was not intended to be jobs creation, at least not the kind of jobs that, uh, uh, you know, American voters were, were hoping for.

[00:35:31] Doug Chia: So, so that's just, that's just an aside. And so under the standards, um, when, you know, when we say that the, the internal audit function, the chief audit executive should report to say the audit committee. Does that mean that the audit committee is the one who hires and fires the Chief Audit Executive even though the CAE gets their [00:36:00] paycheck from management?

[00:36:02] Benito Ybarra: That is true. So, um, obviously the board is gonna lean on the, the management functions of the organization to carry out their directives, but yes, um, I was part, I was part of an organization before this, where that was the case on an annual basis. My performance evaluation was performed by the audit committee and by the, and the full board was involved.

[00:36:24] Benito Ybarra: Um, they leaned on our chief of staff to conduct all the assessments related to that and provide them the information they needed to do that assessment. Um, they reviewed the board, reviewed my audit plan, um, they reviewed, uh, the capacity capability that we, that we had in place and where we were not able to address risks because of our own lack of competency or resources that would be elevated to the board so that they understood the risks they were taking on by not resourcing our function appropriately.

[00:36:54] Benito Ybarra: Or taking steps to ensure that we stepped it up as an organization and provided [00:37:00] internal audit the resources it needed to go and check those risks. 

[00:37:04] Doug Chia: We talked about independence. Internal audit should report to the board, namely the audit committee. Audit committee hires and fires the Chief Audit Executive.

[00:37:18] Doug Chia: So the, the CEO can't just say, I don't like this person, what they're doing, they're fired. Um, you know, that's, that's the board's decision. Um, but there could be situations where the audit executive feels that there's something that they should really be reporting to the board. But the CEO, um, you know, they review it with the CEO before board meeting as CEOs review everything before board meetings.

[00:37:50] Doug Chia: And there's a little bit of daylight there and, you know, there's almost like kind of this divergence of [00:38:00] interpretation or, uh, recommendation or something like that. And it puts you, it can put someone in a very uncomfortable position. How does one deal with that? 

[00:38:13] Mike Varney: So I have been in that position, um, and it's a, as you would expect, it's not a fun position to be in.

[00:38:22] Mike Varney: The piece I always come back to is the word relationship. Um, and have you done two things? One, the relationship you got with the, the CEO or the functional reporting person. Um, and then two, I would say as important if not more important, your relationship with the audit committee chair. Um, and so I think that having that key piece coupled with

[00:38:54] Mike Varney: having a, a strong fortitude and asking the right questions and getting the right [00:39:00] information to assess. And then we just have to have the conversation. Um, and I'm very much of a proponent of, to your point, to the daylight you go, you have the conversation with the CEO and say, here's what I've seen, here's what I've, why I believe what I've seen.

[00:39:18] Mike Varney: Here's the, the information, and have the conversation with them and see where the resolution is. But be very transparent of, in my role, I've gotta report this and have this same conversation with the audit committee chair. So I think having that transparency, those relationships doesn't solve the problem, but I think it gives you the basis in order to have those conversations from a confidence perspective.

[00:39:46] Benito Ybarra: Yeah. What I would add to that is a big part of it for me is role recognition. You know, understanding the CEO's role, the board's role, and them understanding yours in terms of what we were, we're talking about here. You know, you have to be able to include this in your, in your [00:40:00] dialogues, uh, regularly, you know, account for the potential that the CEO could be subject to an investigation, and how do you deal with that, right?

[00:40:09] Benito Ybarra: So if you have these discussions, have process by which you, you everybody understands and can follow when these things happen, it makes it easier. But the relationship standpoint, yeah, I, I agree with that as well. You know, there has to be trust in order to operate, you know, at an effective level. And, you know, if you're doing things in the right way, having the communications the way you need to have them with supportability for what your assertions are, it's gonna be fine.

[00:40:37] Benito Ybarra: It's never comfortable when you're dealing with a potential fraud situation that involves a key level of management. But that's part of your role as a chief audit executive sometimes, and you have to be able to do it and having the support of your board board and your executive management team really gets tested when that happens.

[00:40:53] Benito Ybarra: So it's a, for me it was exciting and exhilarating time when I went through that. Tough. But [00:41:00] you came out of it at the other end feeling really good about your position if you did it well. 

[00:41:03] Doug Chia: You know, we mentioned internal audit plan. Um, there's also an in, I know there's internal audit charters for the department and then there's the audit committee charter as well.

[00:41:16] Doug Chia: And I know, Carrie, are you, maybe you want to talk a little bit about how these, or what these are and how they intersect or dovetail? 

[00:41:27] Carey Blakeman: Being a Chief Audit Executive can be a lonely space, and I think that's why it's vital to not only have that important relationship with your audit committee chair and with other people in your organization, but with other Chief Audit Executives.

[00:41:42] Carey Blakeman: So you can go to, to maybe friends eventually and say, I'm dealing with this really weird or awkward situation. I can't tell you about it, but what have you maybe done if you've been in a similar situation? So we do care a lot about just relationships in general, and one of the things we're [00:42:00] working on also is that deepening of the audit committee relationship with internal auditors.

[00:42:05] Carey Blakeman: So I'm, I'm really excited about that and that's part of what we're doing here today. Um, so what I would say with audit committee charters, um, when Benito and Mike were talking about a few points earlier that it is, we would expect a Chief Audit Executive to talk to their board about what's happening with the standards, but sometimes we do not see in the audit committee charter that they oversee or have a reporting relationship to internal audit.

[00:42:32] Carey Blakeman: So one of our, you know, kind of advocacy or soft advocacy points is that every audit committee charter should also include that if there is an internal audit function, there should be an internal audit function, right? Whether it's code force, outsource, or in-house. 

[00:42:47] Benito Ybarra: So it's just basically, you know, um, laying out the responsibilities of the audit committee, what the audit committee charter does, and Carrie mentioned the responsibilities not only, not only over internal audit, but whatever the board is delegated to them could be, you [00:43:00] know, the external audit function, uh, risk management we've seen included as part of audit committee functions, investigations, compliance.

[00:43:07] Benito Ybarra: You know, it just lays out the charge of the, of the audit committee and the reporting responsibilities to the full board as such. Um, I, I, like Carrie said, ideally we wanna see a strong support for internal audit there. The mandate that I talked about earlier being, being expressed there, uh, for the audit charter, you know, again, the responsibility of the, of the audit function, the, the role of the, of the audit function, the reporting relationships, um, how it conducts risk assessments, how it reports, etcetera.

[00:43:37] Benito Ybarra: So really roles and responsibilities. But what we see is that mature functions, mature organizations really lay this out well. It leads, you know, to the overall strong governance posture that an organization has. 'cause if you have all this laid out, everybody understands their roles and responsibilities, they can work better together.

[00:43:56] Benito Ybarra: But it also forces the internal audit function, since we're talking about audit, [00:44:00] to really step it up. Because if you wanna be included in these broader discussions, you really have to do work that's meaningful and considerate of what your leaders want. And that's, again, overemphasize the, the, the independence discussion we've been talking about.

[00:44:15] Benito Ybarra: If you're overly independent doing what you think is best for the organization as an internal auditor, you're missing out because you really need to include the thoughts and insights of others to produce more meaningful and valuable work. 

[00:44:27] Mike Varney: Back to kind of how we started the IIA and I, the one of the huge benefits it gives to the profession is

[00:44:35] Mike Varney: tools and templates. So audit committee charters, internal audit charters. We've got base like the IIA have base frameworks for you to start with to actually start the right and develop that. And I think that, that it gives you, that, it puts you 70% down the path so you don't have to start with a blank sheet of paper.

[00:44:56] Mike Varney: And that's a huge help in, in helping that conversation [00:45:00] to get uh, everything that we just highlighted. 

[00:45:02] Doug Chia: So, so it sounds like, you know, the audit, there's the audit committee charter, and a lot of that is prescribed by, um, by regulation. Then the internal audit charter essentially cascades down from that. Um, and then potentially that cascades down into, uh, job descriptions and, and all of that to make sure everything is, everything that needs to be covered is covered.

[00:45:27] Benito Ybarra: Yeah, that's a good synopsis of it, you know, and to expand a little on the very first question with regard to the, the association, the IIA itself, part of our challenge is understanding how this, how this functions all over the world. So in terms of network, like Mike was talking about, we have 118 national institutes that represent us and lead in their respective countries and regions, uh, chapters in the, in North America and Caribbean that represent us and lead there.

[00:45:54] Benito Ybarra: And what we do is lean on them for insights with regard to how this is working so that we can be as [00:46:00] global as possible. So the tools and templates that we're creating, you know, are, are meaningful no matter where you download them. 

[00:46:07] Doug Chia: In the book you write, in addition to their traditional financial reporting responsibilities, boards and audit committees are being asked to focus more on cybersecurity, business resilience, enterprise risk management, and AI.

[00:46:23] Doug Chia: Let's talk about, for the internal audit functions role in the oversight of AI. How are you approaching that, I guess, both from the perspective of, uh, kind of risk of AI and also AI tools that might, that, that are starting to be used, um, by internal audit professionals? 

[00:46:49] Benito Ybarra: Yeah, so in terms of AI, definitely a disruptor, right?

[00:46:52] Benito Ybarra: It's, it's moving fast. We've seen it incorporated in many ways around the world. And from an auditor perspective, you know, it's risk, it's high risk [00:47:00] because we see it being employed without strategy sometimes. Much less governance. So what we like to do is see a governance framework in place, but fast paced organizations who want to win in the marketplace aren't concerned with that.

[00:47:13] Benito Ybarra: And we have to understand that as part of an internal audit function operating in these environments. So what we like to promote is knowledge of how it's being used. You know, similar to a SOC report, is it being, is, is AI being used in key functions that would impact financial reporting reliability, for instance? Or any sort of external reporting, right?

[00:47:34] Benito Ybarra: That, that somebody's relying on. That's where an internal auditor can engage more directly to ensure that there's actual substance behind what's being employed in AI. That obviously forces the internal auditor to learn as much as possible about how AI works. We want to make sure that we're providing tools, information, guidance, with regard to how AI could impact the business, but how to use it as well.

[00:47:56] Benito Ybarra: Internal auditors, you know, in a recent survey, are [00:48:00] only employing AI 14% of the time. When we see it, you know, being employed much higher than that at the organizations they support. So again, to to reemphasize internal auditors really have to step it up on all, on all fronts. But in AI, most specifically. 

[00:48:17] Mike Varney: Internal audit, being in the role that we're, we're in within organizations puts us in a very unique position of, it kind of makes us go down two paths.

[00:48:29] Mike Varney: And those two paths is one being how do we use it in what we do from day to day and our function and apply it to make us more efficient and provide more insightful, um, lessons to the organization? But then the second path is everything Benito just touched on of how is our organization applying and implementing AI?

[00:48:53] Mike Varney: You know, so what are the governance structures? How do we assess what AI? I think the, the other piece [00:49:00] we probably got used to this way back when of kind of phantom software, phantom IT within organizations. Well, guess what? There's gonna be phantom AI and, you know, what are your organizations doing to make sure that data is staying, like your data, staying within your environment? And some of those types of questions.

[00:49:22] Mike Varney: So what we're seeing, so that's kind of the two roles of that we've been dealing with is one, helping internal audit functions in departments apply AI. And it's a lot of the. You know, an AI or an internal audit person, just what's the governance of how you're gonna do it within your function? Where should you start?

[00:49:41] Mike Varney: How should you start? Where is gonna be the most impactful? And kind of having that built into your strategy that we've touched on. And then the other piece is how are organizations doing it within their, within their environments, what tools are they choosing? How are they choosing those tools? So what [00:50:00] we've seen is kind of those two paths of A working with internal audit functions and how they start to apply it, and then B, working within the organization of how the organization is applying it within their different functions.

[00:50:13] Mike Varney: One of the risks that we see a lot when it comes around AI is the pressure to put AI programs in place. And a lot of that pressure being driven from cost containment, cost reduction, efficiency. So I see a lot of clients saying, well, we're gonna have X amount of AI and X number of period. Um, so just being cognizant of that pressure and looking to where your internal audit function of, back to that governance of, okay, yeah, there's this pressure to do this, but we still gotta do it in a systemic, governed, structured manner.

[00:50:50] Mike Varney: So internal audit can provide a real, you know, a real good value in helping provide information to the board and management of, [00:51:00] yes, they're working to it, but they're still doing it in a structured manner. 

[00:51:05] Doug Chia: Yeah. Yeah. And I think that, you know, like other parts of, um, any organization, uh, pressure can lead to shortcuts.

[00:51:15] Doug Chia: Um, pressure can be in the form of your compensation is tied to certain goals, and then, you know, that often leads to bad, bad outcomes. So, Carrie, maybe you want to talk about what internal audit, what looks good and, and how a board member assesses that. 

[00:51:35] Carey Blakeman: Yeah, so we, um, at the, IIA created a document called the Global Public Policy Position Paper.

[00:51:43] Carey Blakeman: So that is definitely a mouthful. We affectionately call it GP four. And this is something that we would highly encourage boards, governments, people around the world, like Benito said, in our network to look at this position paper because what we've done is said, [00:52:00] these are the six criteria that really would have an effective, I know we've mentioned independence a lot, but like Benito said, well-positioned and well-functioning internal audit function.

[00:52:12] Carey Blakeman: And the six criteria are mentioned in the chapter and they're expanded a little bit upon. So we would, again, read the chapter, but we also have the link in the chapter two, GP four, but we've already mentioned a few of them, so I'll go through them quickly. Independence from management. So we've talked about what that could look like in different formats.

[00:52:31] Carey Blakeman: We've talked about a written internal audit charter. Following globally accepted internal audit standards, having qualified staff, especially those who hold a certification. We've mentioned the certified internal audit or, or CIA certification. Performing these all with objective and unbiased manners. And then the one that we've mentioned a little bit, but not gone into detail on, um, and we have a whole other team and you know, people that work on this within the standards [00:53:00] is having, um, or being subject to an external quality assessment.

[00:53:04] Carey Blakeman: So we sometimes will say, who is auditing the internal auditors? We know that external auditors, depending on what type of external audit you're doing, you have to have a peer review. This is very similar. Um, and so Benito and Mike have know all about those as well. Um, but I would say really focus on those six criteria when you are thinking about an existing function or if you want to create one.

[00:53:29] Carey Blakeman: It's a great roadmap for thinking through how to create an internal audit function. 

[00:53:34] Benito Ybarra: What I would say is, you know, for me, incorporating all those elements and seeing and recognizing them really helps governing bodies, the boards, understand that they have a competent, you know, authoritative and reliable function that they can lean on, you know, in order, in order for them to make decisions.

[00:53:51] Benito Ybarra: You know, board members come in infrequently, right? They get a lot of information from those who rely on, which is your executive management team. They really need [00:54:00] to understand that internal audit is that authoritative, reliable resource for them. And again, to emphasize those six elements. When you have those in place and the board understands who they're dealing with, they can really take stock in the information they're receiving and help them make those key decisions and investments that they need to, you know, to, to help the future of the organization.

[00:54:21] Mike Varney: The only comment I would add is that clear communication that's in that lies within those, those six elements, but do you have a chief aud executive? That's very clear. And how, when and where they communicate information. So think that that, which goes back to that building trust and some of those underlying soft skills that aren't often touched on. 

[00:54:46] Doug Chia: In terms of audit committees and kind of what questions they should be asking.

[00:54:52] Doug Chia: And kind of going back to the fact that the audit committee hires and fires the CAO, if they say they're [00:55:00] interviewing, uh, for a new CAO in, in, uh, CAE, you know, whether it's internal or from the external world, what kind of things should they be asking about, uh, to, to kind of pressure test and, and evaluate someone beyond just kind of the normal, is this person gonna be a good employee?

[00:55:22] Benito Ybarra: Yeah. For me, having gone through this a few times, you know, an understanding of the business, number one. That's one of the complaints we receive most often about Chief Audit Executives, that they don't understand the business they're trying to help support. So really digging in on the business acumen of the internal audit, uh, internal auditor is important.

[00:55:39] Benito Ybarra: You know, financial acumen goes without saying, you know, most of our, our, uh, Chief Audit Executives have a solid financial background, but more so we're seeing an emphasis on IT, cybersecurity information security. What's their knowledge in that space? And are the boards well equipped to ask the right questions?

[00:55:56] Benito Ybarra: So they need to, they need to skill up too. That's what we're here for. [00:56:00] The, IIA, uh, the center that, that Carrie has stood up to help boards of directors really understand what the key risks are, how to upskill, how to understand it, and the changing every evolving landscape they're dealing with. 

[00:56:15] Mike Varney: The one piece I would add to that is what they don't know and the fortitude and confidence to say I don't know, which then I think kind of ties to, they then know where they need to go get that competency. 

[00:56:30] Carey Blakeman: We did put a lot of questions at the end of our chapter that could help the audit committees and board members who may just kind of be thinking like, what should they ask? It's a great template to start and then Benito mentioned, um, we just launched a new global audit committee center and every piece of content that we put out, we try to give really good questions for audit committee members and board members to ask their chief audit executive, so that, again, part of it, it really is about deepening that relationship and having clear [00:57:00] communication.

[00:57:00] Carey Blakeman: So there's lots of tools that we really want to help people just not have to, again, like think from scratch. It's like, here's some really good questions that will get you on the right path. 

[00:57:09] Doug Chia: One thing we haven't talked about, which I think is really important, is the private sessions that the Chief Audit Executive has with the audit committee.

[00:57:22] Doug Chia: Um, you know, what I saw was at the end of every audit committee, certain executives would go in for a private session without anybody else in the room. Just them and the board members or the independent board members. And, you know, the rest of us would sit outside and usually these things are pretty short, but if it went long, people are like, Ooh, geez.

[00:57:43] Doug Chia: What are they, what are they talking about in there? This might not be so great. Talk about, you know, what, what does go on in, in those types of, of meetings? And it is, is it just standard for that to happen? Are there companies that don't do this? 

[00:57:59] Benito Ybarra: It doesn't happen often [00:58:00] enough, um, for the chief auditor,

[00:58:01] Benito Ybarra: right? So, you know, I, I've been fortunate enough to be a part of these meetings and yeah, it, it gets amplified when the internal auditor's in there for 45 minutes, uh, talking, you know, to the audit committee or whatever board member they're talking to, um, you know, what happens at those meetings, you know, it's driven by, in this case the internal auditor.

[00:58:22] Benito Ybarra: What I would do is highlight my perspective of the business, you know, for the period of time since I last saw them, uh, where I saw some of the risks, some of the decisions that, you know, could potential they could potentially ask questions about, right? So informing them with regard to equipping them with questions they might wanna ask is important.

[00:58:41] Benito Ybarra: Um, and again, you know, it really helps highlight the auditor's understanding of the business. And too many chief auditors, you know, don't press for these executive sessions because it's tough to try to be relevant when they're not fully involved in the business. So it's a, it's a vicious [00:59:00] cycle. You know, if you're not gonna be involved in the strategy of the organization having those discussions, you're not gonna be clued in and plugged in enough to have those meaningful discussions.

[00:59:08] Benito Ybarra: So again, we're challenging chief auditors out there to really step it up, and be a better part of the fabric of the organization in doing their jobs. 

[00:59:19] Doug Chia: Let's talk about the Vision 2035 report. It's a very forward looking plan in terms of where do you want to be in 10 years or where do you want the profession to be in 10 years.

[00:59:33] Doug Chia: Um, just talk about some of the, the findings and key points from the report. 

[00:59:38] Mike Varney: One of the questions we asked is kind of aligning funding of the department to strategic focus of the audit plan and the goals of the function. And there was a clear correlation that came out that those functions where their work and plan was more aligned to the risks, strategic [01:00:00] risks and understanding of the strategic goals, the funding was higher.

[01:00:06] Mike Varney: And so I think thinking very critically and looking inward to us as, as a department of, are we truly aligned to what's important to the business to help mitigate and, and strengthen the business? And having our kind of house in order a little bit, having that strategic plan laid out, being aligned to the, the strategic goals of the organization actually makes that funding conversation easier.

[01:00:36] Mike Varney: And maybe if you're getting the question of do, why don't you cut your funding? Or do you really need that resource? I know it's human nature to kind of go, well, you're just after us maybe turning inwards and asking the question, are we focused in the right areas too to help strengthen your position in that conversation?

[01:00:54] Mike Varney: But that is one of the things that just is, has stuck with me coming out of 2035 as well as [01:01:00] a couple other items, but aligned to strategy, funding was more, was stronger and, and, and stable, for lack of a better term. 

[01:01:09] Benito Ybarra: That was underscored by one of the weaknesses that I alluded to earlier when I think almost 50% of the respondents said internal audit is viewed as the watchdog of their organization.

[01:01:18] Benito Ybarra: You know, in terms of governance, strategic insight, you're not bringing the watchdog to that meeting, right? So we need to break away from that. You know, these risk assessments I talked about. Being completed in a, in a good way is very important. You know, I, I've done quality assessments and I've reviewed audit plans, and if I see an audit plan that does not include it, for instance, it's a red flag.

[01:01:40] Benito Ybarra: So you ask the chief auditor, why not? You know, are they being limited from doing those audits or more so they don't have the competencies to do that, right? Because they're not fully resourced or, you know, they just, they just don't see it as a, as a, as an imperative either way. Those are the types of insights that the board needs to know about to [01:02:00] really fully understand what they're dealing with when it comes to internal audit.

[01:02:05] Carey Blakeman: I'd say the key takeaway I'd like to highlight, especially with the audience listening in, is we had about 45% of those 7,000 people say that they need greater support from the board and from audit committees. And so we've talked about that here at length. Um, so we don't need to go into details, but we just really want to emphasize that it has to be both sides, the Chief Audit Executive and clear communication like Mike said, to the audit committee chair.

[01:02:33] Carey Blakeman: But then also as we've talked about, having the audit committee chair or members or a board member, um, care about the internal audit team and function and ask questions and, and get involved with what they're doing. I've heard really great stories from audit committee chairs that go visit an internal audit team and kind of they meet the people, they meet the people doing the work, and they really get a lot of value out of that.

[01:02:58] Carey Blakeman: It also does help with that [01:03:00] budget item that Mike brought up to say. What are these people doing every day and are they properly trained? Do they need to be upskilled? Like let's hear from the team themselves. Um, so I would just encourage if you are on a board or on an audit committee, um, or have this kind of role where you're overseeing an internal audit function, reach out if you haven't done that and really start to build that relationship.

[01:03:25] Doug Chia: Yeah, that, I think that's great advice. I mean, that's kind of a sign of an enlightened director that they're actually gonna go talk to the entire team. One thing I noticed in the report, you know, you surveyed the respondents for where do they expect the profession to go and where did they expect the internal audit scope to expand to cover?

[01:03:49] Doug Chia: And very high on the list was sustainability. And I was really surprised by that. What's your take on that? 

[01:03:56] Benito Ybarra: A little surprised that it was so high. For sure. So. [01:04:00] You know, sustainability has been a polarizing, you know, theme here in the United States, especially over the past few years. And I think, you know, there's a little hesitancy with regard to audit engaging in that because auditors like criteria, they like standards by which they can do their assessments without solid criteria standards

[01:04:18] Benito Ybarra: it's really tough to, to perform an engagement like that. It's getting more important significance outside of the United States. You know, I've traveled Europe, Latin America, Africa, really big, big themes there. Asia, I just came from Asia. Um, everybody's concerned about sustainability, doing some form of assurance engagement with regard to their, their organization's posture when it comes to sustainability.

[01:04:43] Benito Ybarra: Um, still there's no international standard that, that we can point to that would allow us to, you know, globally support the sustainability audit. But something that we support, you know, intermittently as we, as we go encounter these situations. 

[01:04:57] Mike Varney: I think that highlights the, the global [01:05:00] nature of, of our profession.

[01:05:03] Mike Varney: It's been a bit of a hot button within the US but it's very w widely accepted and kind of focused on outside the US or globally more globally. But it, I think it affirms kind of our organizations, especially public companies, role or position within the global marketplace. So although we may be a US based organization, it's still something we need to think about and consider as we go into some of these global markets.

[01:05:31] Carey Blakeman: My reaction is very similar to Benito and Mike's. I would remind everyone that when we did the survey data, um, I believe it was over a year from 2022, mid 2022 to early 2023, before we had different leaders in the US and around the world. Um, so I think that that also could be playing into it just the

[01:05:53] Carey Blakeman: different viewpoints of people around the world were different three years ago than they might be today. I would [01:06:00] highly encourage everyone, um, to focus again on the global nature. So like Mike said, if you are a public company in the United States, you are probably somehow touching someone globally and you need to be thinking about this.

[01:06:14] Carey Blakeman: Um, you can, might use different terms. Um, business continuity, business resilience can come up, um, when we're thinking about sustainability topics. So that might be a way to, to be thinking about it. If it hasn't come up, um, at your board meetings or on your internal audit plan. 

[01:06:29] Doug Chia: That's probably a good place to wrap up.

[01:06:32] Doug Chia: So Carrie, Benito and Mike, thanks so much for joining me today. This has been great. 

[01:06:38] Mike Varney: Thank you, Doug. 

[01:06:39] Carey Blakeman: Thank you. Yes. 

[01:06:40] Mike Varney: Thank you very much. 

[01:06:42] Doug Chia: So that concludes this episode of The Public Company Series Podcast, powered by OnBoard. And I'd like to thank, uh, Carrie Blakeman, uh, Benito Ybarra from the Institute of Internal Auditors, and Mike Varney from Crow LLP, for sharing their [01:07:00] insights.

[01:07:00] Doug Chia: And I encourage you to read the chapter of the book entitled, the Value of the Internal Audit Function and the Risk of Not Engaging, which you can find in the book Board Structure and Composition part of the Public Company Series published by the New York Stock Exchange and JP Morgan. Uh, you can read and download the entire book at www.nyse.com/pcs.

[01:07:27] Doug Chia: To learn more about OnBoard, visit www.onboardmeetings.com. And for additional resources and episodes, visit www.publiccompanyseries.com. And don't forget to subscribe to receive all new episodes of the Public Company Series Podcast and rate us and leave us a review. I'm Doug Chia, and we will see you next time.