ChatGPT
Audit International realise that for many internal auditors, the audit committee is a bit of an enigma. Most of you help the chief audit executive (CAE) or other internal audit leader with materials and content to provide to this subgroup of the board of directors. Much of your work, in summary fashion, ends up there. But, for the most part, we only know what happens behind the closed doors of the boardroom if your CAE conducts a post-meeting debrief. Yes, we know that the audit committee is important. We know that they take our work seriously. But what do they really want from us?
For internal audit leaders themselves, the meetings can be intimidating. The majority of audit committee members are experienced executives from other companies and often serve on other boards. They are generally savvy, informed individuals, who spend a part-time role executing governance duties for the organization where we work. So, while they might, at times, be proactive—meaning, they raise questions or lines of inquiry based on something they initiate—mostly they are reactive, responding to what is presented to them. That means the onus is often on internal audit leaders to help them in their role by carefully choosing what to share with them.
Yet walking the fine line between providing too much detail and maximizing the little time we have with the audit committee can be tricky. Internal audit leaders often express anxiety about meeting with the committee. It can be difficult to anticipate what they may find important versus what they would consider a waste of time. Indeed, internal auditors can be forgiven if they just want to shout the famous Spice Girls refrain: “Tell me what you want, what you really, really want!” So, let’s give that a try: What does the audit committee really, really want?
First, What the Audit Committee Doesn’t Want
During an Internal Auditors career, you report functionally to an audit committee on separate occasions, with different companies. You might foolishly think that you would give them lots of information and let them decide what was important. It’s a trap that is easy to fall into. It takes time, experience, and some good mentors to gain the wisdom to realize that is absolutely the wrong tactic.
It is an evolutionary process to slowly realize that reporting to the audit committee is not about what you want to tell them. It’s only about what they need to know. To cite an often-used phrase: “be brief, be insightful, and be gone.” Keep it short, share the needed knowledge, and let others take their place on the agenda. It’s not about you; it’s about your audit committee members.
What the Audit Committee Does Want
Here are ten things that Audit International have learned that the audit committee of the board wants from internal audit. We hope they work for you when it is your turn to directly interact with the audit committee.
1) The essence of the quintessence: This phrase, “the essence of the quintessence,” was shared by a chief operating officer of a bank once, and it stuck with us. Basically, he was expressing that he and the other execs were busy folks and they want to get right to the bottom line. Don’t just tell me what you are telling me, but tell me why you are telling me. Get to the essence of the quintessence! And that’s what the audit committee wants too! So, if you feel you really must share something with the audit committee, ask yourself why it is so important that they know it. If you can start your phrase with, “this is important because …,” then they probably need to know it. They want the bottom line and the why. The rest is superfluous.
2) Not how you did something, but what you concluded: Have you ever asked someone how their vacation went and they start by telling you about the car ride to the airport? You are being polite, but all the while you wish they’d just answer the question. You want to know about the experience at the destination, not how they got there. Well, the same is true with the audit committee. All the work we did to arrive at our conclusions is important to us, but not to them. They only want to know the conclusion. So, cut to the chase. They trust you did all the right work to get there.
3) Your opinion, not just the facts: Internal auditors follow standards, confirm everything, and don’t spout wild, unsupported views on subjects. We are methodological in our pursuit of facts and the truth. So, when we have made a conclusion, we are usually armed with supporting facts. If not, we tend to refrain from going out on a limb with an opinion. Resist the urge, however, to stick only to the facts. You are not a robot; you are a person with a brain. You have a range of experiences to draw upon and see more of the organization than most anyone else. So, does the audit committee want a Joe Friday, “just the facts ma’am,” approach? Not really. They trust you have done the work and want to hear your views on various topics. If they ask your opinion, trust your instincts and give it to them. If you don’t, you really aren’t adding as much value as you can.
4) Your concerns, audited or not: Whether you are new to an organization or have been there for many years, your well-honed internal audit skills will leave you with an innate ability to have concerns about certain things, whether you have actually done internal audit work on the topic or not. If you had unlimited time and resources, you’d go check out all those nagging worries, and confirm or deny them. But you don’t. The audit plan may not have prioritized it, but that doesn’t mean the concern isn’t valid.
Now, the audit committee has no desire to hear lots of speculation or theories, nor are they interested in trivial things. But, believe me, if you have a good relationship with the audit committee, they want to hear your top concerns, even if you don’t yet have all the facts. You just need to be extra careful in how you position what you say, and you do so rather infrequently. But they do want to know. As they say, that’s why you get paid the big bucks.
5) Something of substance in executive session: One experience that is among the trickiest for a CAE to navigate is the executive session with the audit committee. During the typical executive session everyone who is not a board member leaves the room and the internal auditor meets with the audit committee alone. Over the course of a few years of executive sessions with the audit committee, I can say from experience that there are two things you never want to do: one is to have something to tell them in every executive session, and the other is to have nothing to tell them in any executive session. So, the goldilocks theory applies here, you want to strike the right balance. What to bring up, how to bring it up, and what you need to do both before and after you bring it up is a whole course in and of itself. It is an art, not a science. Don’t be trivial or cavalier about what you bring up. The audit committee wants you to bring things up, and they want them to be of substance.
6) Proof you really get the business and the strategic plan – Whether it is deserved or not, a common complaint by operating leaders and managers within many companies is that internal audit does not understand the business. The last thing you want is for the audit committee to second guess your conclusions. So, if you are confident that you know the business and the strategic plan (and you’d better be), let it show. It should show up in your audit plan, your priorities, and your explanation of internal audit’s observations and conclusions. Don’t risk having the audit committee doubt you. They want comfort that you know the business and are in lockstep with the strategic plan. Give them the confidence that you do.
Another point to make here is to remember that you are a businessperson. As we go about our internal audit work, we tend to put blinders on, as if the audit plan and the audit projects are the only reason for our existence. Of course, they are not. So, when we update the audit committee on what we are doing, what hat are we wearing? An auditor’s who happens to work for the business? Or a businessperson’s who happens to be an auditor? The audit committee wants the latter.
7) That you align with second line functions: Not always, but often the only way that second line functions (risk management, compliance, security, and others) coordinate and collaborate with internal audit is if internal audit (namely the CAE) initiates the coordination and takes a lead role in it. Apart from the added cost of redundant activities, the audit committee doesn’t want a bunch of disjointed terminology, reports, and conclusions coming from the various “risk and control” functions of your organization. They want you to coordinate and collaborate across the second and third lines. If they aren’t telling you that, they are telling someone else behind your back!
8) Courage: Like everyone else in the organization, days are always going to bring obstacles, difficult co-workers, things not going according to plan, changed schedules, broken promises, and other hurdles. But, more often than many other employees in other departments, you will from time to time be called on to summon up some courage. From an obstinate audit client that is making your job difficult to a senior audit client manager that is disagreeing with you no matter how right you are—not to mention fraud investigations, hotline accusations, and executives who are doing questionable things—you are going to come across matters that are so egregious that you must raise them, regardless of the consequence. They are, hopefully, rare, but if you are in internal audit long enough, those times will arise. They will require backbone and strength of conviction, and are not for the faint of heart. But guess what, that is exactly what the audit committee wants from you: a reservoir of courage and the ability to call on it when it matters most.
9) That you understand the politics, but are not political – All organizations are political by nature. Whenever people get together and resources are scarce, win-lose games happen. Corporate politics are a fact of life. As much as we’d all like to be apolitical and let the facts drive what the right answers are, if we don’t learn how to navigate the organization’s politics, we will not be able to get our jobs done effectively. Does that mean we need to use the politics to our advantage? Sheepishly, the answer is yes, but not in an underhanded way. It’s important to know who to talk to, about what, and when; how to position what you are going to say; who needs a heads-up on what; who are the influencers in the organization; and so on. We need to know all that and leverage it to our advantage. Our audit committee members are some rather experienced and savvy businesspeople, and they are also navigating the organization’s politics to do their governance jobs. So, yes, they do expect you to understand the politics to get your job done well and know how to report things to them with an understanding of how the politics works, but they also don’t expect you to be overly political.
10) That you know when you may not be objective: Objectivity is such an important tenet to what internal auditors do and how we do it that we need to be ultra vigilant and self-aware when there is a risk of our objectivity being impaired. Audit committees expect us to be self-aware of when our objectivity might be impaired, or even the potential appearance of it being impaired. So, park that ego, realize you are subject to your own biases, and be self-aware enough to advise the audit committee when your objectivity could be impaired. They expect you to do that.
Earning that Paycheck
Even though they may not tell you directly, take it from us that your audit committee wants you to: be brief, tell them only what they need to know, share your professional opinion, be open about your concerns, leverage executive sessions properly, understand the company’s strategic objectives and strategic plan, collaborate with the second line, be courageous, know the business, navigate organizational politics, and say when your objectivity might be impaired. Easy peasy. Well, not really. But, as we concluded, that’s why you get paid the big bucks.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
Artificial intelligence (AI) has the potential to transform the internal audit profession. ChatGPT, a large language model trained by OpenAI and based on the GPT-3.5 architecture, is an AI tool that can help internal auditors in various phases of their audit work.
Audit International are now going to discuss the benefits of using ChatGPT in these phases.
Planning
The planning phase is a critical phase of the audit process where the internal auditor defines the audit objectives, scope, and methodology. ChatGPT can be used in this phase to analyze large volumes of data and identify patterns and trends that may not be immediately apparent to human auditors. By using ChatGPT, internal auditors can save time and effort in identifying potential risks and opportunities for improvement. ChatGPT can also help internal auditors develop audit plans and testing procedures based on the insights it provides.
ChatGPT can also be used to educate internal auditors about the process under audit and its relevant risks. By inputting data related to the process, ChatGPT can provide a detailed understanding of the process and the risks involved. This can be particularly useful for internal auditors who are not familiar with the process or are new to the organization.
Further, ChatGPT can help internal auditors to identify potential areas for improvement in the audit process itself. As internal auditors input data into ChatGPT, the platform can analyze the data and suggest ways to improve the audit process. This can help internal auditors in developing more effective and efficient audit plans, testing procedures, and reporting methodologies.
Testing Phase
The testing phase is where internal auditors gather evidence to support their audit findings. ChatGPT can be used in this phase to analyze and interpret data, including financial and non-financial data. ChatGPT can help internal auditors in identifying anomalies, trends, and patterns in the data that may require further investigation. ChatGPT can also help internal auditors in identifying areas of the business where testing should be focused and can even suggest potential audit procedures based on the data it analyzes.
Reporting
The reporting phase is where internal auditors communicate their audit findings to the relevant stakeholders. ChatGPT can be used in this phase to generate automated reports that are accurate, comprehensive, and timely. ChatGPT can also help internal auditors in identifying the root causes of issues and provide recommendations for improvement. ChatGPT can even suggest remedial actions that can be taken to address the identified issues.
Monitoring
The monitoring phase is where internal auditors ensure that the management has taken appropriate actions to address the audit findings. ChatGPT can be used in this phase to monitor the implementation of the recommended actions and identify any further areas for improvement. ChatGPT can also help internal auditors identify emerging risks and opportunities that may require additional attention.
Privacy Concerns
One of the most significant concerns with the use of ChatGPT in the internal audit process is privacy. Internal auditors need to be aware of the privacy risks associated with the use of ChatGPT and take appropriate measures to mitigate those risks. It is essential to ensure that the data entered into ChatGPT is anonymized and that sensitive information is not shared or stored on the platform. Additionally, internal auditors need to ensure they have the appropriate consent and authorization to use the data in ChatGPT.
Treat it as a Tool
ChatGPT is a powerful AI tool that can help internal auditors in various phases of their audit work. By leveraging the capabilities of ChatGPT, internal auditors can save time, enhance their efficiency and effectiveness, and improve the quality of their audit work. However, internal auditors need to be aware of the privacy concerns associated with the use of ChatGPT and take appropriate measures to mitigate those risks. By doing so, internal auditors can leverage the capabilities of ChatGPT, while also safeguarding the confidentiality and privacy of sensitive data.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
