The eyes of internal auditors should be wide open and looking in all directions. So says Verra Marmalidou, chairman of the Institute of Internal Auditors (IIA) Greece and a board member of the European Confederation of Institutes of Internal Auditing (ECIIA). She wants internal auditors to be fully informed and up to date about changes to the risk environment. ‘We need knowledge and awareness of the global as well as the local risk landscape,’ she says.
Marmalidou’s day job is deputy director of internal audit at the National Bank of Greece (NBG), the country’s second largest by assets. A decade on from the global financial crisis that plunged Greece into a government debt crisis, she is well placed to reflect on the lessons learned. ‘The most significant risks are hidden at the highest levels of the organisation, and it is there that controls may be weak, that good corporate governance practices may not always be implemented and that goals may have short horizons,’ she says.
‘Internal auditors need to act like they are the shareholders of the company’
Ready for action
Internal audit did learn from the crisis. Marmalidou believes ‘things would be different’ if a similar scenario arose in the future because the profession now takes a holistic approach to risk.
Yet the increase in business and technology risk and operational complexity poses challenges for the financial sector. In particular, the new regulatory requirements constitute a considerable financial burden. Greece’s four largest banks – including NBG – have reported an aggregate cost of €5.25bn to comply with new accounting rules as European stress tests loom.
Marmalidou has a clear response to regulation. ‘For internal audit in the financial sector, the challenge is to avoid becoming an arm of the regulator. We must meet the expectations of all stakeholders, who of course include [regulatory] supervisors.’
One trend in financial services that concerns her from the internal audit perspective is the outsourcing of business processes. She warns: ‘We should be careful of internal auditors’ responsibility in outsourcing.’ Is information taken on trust, or do internal auditors rely on other auditors, she wonders, adding: ‘Companies need to be careful of the wording of contracts with outsourcing providers. The right to audit outsourced activities should remain inside the business – we should be lifting the veil on outsourcing.’
Marmalidou believes internal audit needs to take full responsibility for keeping up to date with technology –the digitisation of products and services and the use of artificial intelligence.
But disruption is not the right word to use here, she says. ‘It is too negative. Technology combined with critical thinking by internal auditors should be making a positive impact.’
But that will happen only if internal audit functions invest in the right skills, tools and techniques. ‘As the business environment becomes more digitalised, we need new skills to understand and be able to perform internal audit. We need to prepare and maintain proper personnel.’ She adds that internal auditors should not be limited to just one specialism but should be able to work across many fields using up-to-date IT skills.
Marmalidou declines to speak specifically about the collapse of British construction giant Carillion in January 2018, which prompted inquiries into the role of many advisers, including the internal auditors. But she does suggest questions (see box) that could be asked in any corporation, and which the board ‘should answer before pointing the finger and blaming internal audit’.
Fail to plan and you plan to fail
To insulate the business against corporate failure, companies should ask themselves six internal audit-relevant questions:
- Does the board pay attention to internal auditors?
- What is the role of the audit committee in preventing failure?
- Does internal audit have an appropriate role, including a seat at the top table?
- If internal audit is outsourced, how does the board achieve proper oversight of its internal auditors?
- Is the board engaged with ensuring appropriate internal controls are in place?
- Where there is a high concentration of risk, who is responsible for managing that risk and what is the company’s tolerance to the risk concentration?
Marmalidou says it is crucial that the internal audit department is independent and can communicate directly with the board and executive management. ‘Internal audit should have a voice at the board,’ she says. ‘That seat at the table ensures that internal audit has a proper role in the company and that boards engage with important issues raised by it. Boards need to hear from internal audit.’
This is true not just for the main board but its committees and layers of management as well. These, says Marmalidou, should be ‘included in our universe to provide assurance. Corporate governance is about the whole management decision-making process. As a result we audit governance in every area of the organisation with both a top-down and a bottom-up approach.’
She believes the relationship with external auditors is vital if internal audit is to work properly. ‘The internal auditor’s approach to the external auditor is crucial,’ she says. ‘We need to speak to each other, establish a framework of cooperation and exchange opinions on the universe of risks the organisation faces.’
New model internal audit
What Marmalidou wants is a transformation of internal audit. For a start, she wants to see its application reinforced in public and governmental sectors: ‘Regulatory rules that apply to publicly traded companies in relation to internal audit should be applied to ministries and municipalities across the European Union. The public sector should be conforming to internal audit standards. Don’t forget that the financial crisis in Greece did not start from the financial sector; it started with the poor governance of the country. Internal audit is a pillar of good governance and should be used.’
But if internal audit is to prosper in the long term it must add value. The business needs to see the point of it. Marmalidou says: ‘When we report findings back to the business we should be sure to draw attention to opportunities as well as risks. We need to advise on enhancing good governance, changing processes, doing business in a more efficient way and identifying trends and innovative solutions.’ She also advocates benchmarking other internal audit units in the same sector.
She has advice for individuals on staying relevant too: ‘You should look at the big picture. You need a deep understanding and knowledge of the strategic and operational objectives of the business to be able to concentrate on what is important.’
In her first job Marmalidou worked for a large shipping company where all staff were encouraged to think and act like the owner. It has shaped her whole professional approach. ‘Every day since then that thought has been in my mind,’ she says. ‘Internal auditors need to act like they are the shareholders of the company. If we behave like that, we will always be relevant.’