Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit. What does it take to move an internal audit function from being risk traditionalists to risk strategists? And what's quietly holding most teams back? In this episode, host Aaron Monet sits down with Jess Rogers, Global Internal Audit Leader at EY and North American Board Member of the IIA.
00:00:25 The IIA
Together, they examine why the traditional audit model no longer fits the world we're operating in, and what leaders need to unlearn before they can change it. You'll hear three assumptions most audit teams are still running on, a real-world example of transformation done right, and one concrete action any CAE can take in the next six months to start shifting their function's standing with leadership.
00:00:51 Erin Banet
So Jess, when you think about a risk traditionalist internal audit function, what behaviors or patterns come to mind?
00:00:59 Jess Rodgers
I think you know it when you see it. It's the annual audit plan that was essentially identical to last year. Maybe there's a few new topics to reflect the headlines you may see.
00:01:10 Jess Rodgers
the findings report that arrives 8 weeks after field work had ended and it's written in a way that is defensible over decision usefulness. It's a relationship with the business that feels transactional. We show up, we audit, we leave, we repeat. And these patterns aren't signs of bad people, bad intentions, but they're a natural output of
00:01:37 Jess Rodgers
a function that was architected for a different error. But what's really astounding to me is when I say different error, this error wasn't too long ago. It was actually fairly recent, maybe only a few years ago. And when the world moved more slowly, when risks were more linear, it was more contained, a retrospective, a more compliance-focused audit model, it was a bit more fit for purpose.
00:02:04 Jess Rodgers
And we audited last year's controls, we found what broke, recommended fixes, had the management action plans, and we repeated the cycle. And maybe that wasn't a terrible thing. But when I look at traditionalist functions, there's a distinction that I think is important to call out. Traditionalist functions focus more on findings, not to reduce risk, but really focus on findings. And
00:02:31 Jess Rodgers
We need to be focusing on strengthening organizational decision-making, and that's really the distinction.
00:02:37 Erin Banet
Why does that traditional model struggle in a navi-risk environment?
00:02:42 Jess Rodgers
So the NAVI framework, which is that comes out of our recent risk transformation study that I'm sure folks have been hearing EY talking about it a lot. And NAVI stands for nonlinear, accelerated, volatile, interconnected. It's not just a description of how the world feels. It's a description of how risk is really moving. And it exposes the traditional model's foundational assumptions that it no longer
00:03:12 Jess Rodgers
fits in the world we're living in right now, because the traditional model assumes everything is linear, that cause leads to effect, effect is discoverable, looking through that rear view mirror, and a retrospective audit can capture it. But in this Na'vi world, risk is cascading. A regulatory change in one market is going to ripple into supply chain. It's in talent strategy, capital allocation, competitive positioning,
00:03:41 Jess Rodgers
and it often happens within weeks. And when I look at that and think about it, by the time a traditional audit cycle finds a control gap, 3 consequences at least have likely already materialized and it's too late. So the traditional audit model is assuming that risk is moving slowly enough for periodic assurance to be relevant.
00:04:06 Jess Rodgers
These models aren't going to make sense in a world where a board is being asked to make decisions, approve, let's say, a $500 million AI investment in a technology that likely didn't even exist 18 months ago.
00:04:22 Erin Banet
What assumptions do internal audit teams need to unlearn before they can modernize?
00:04:28 Jess Rodgers
I love this one because I think this is a question that often gets missed or probably isn't thought about.
00:04:35 Jess Rodgers
I see a lot of functions. The first thing they jump to is what tools, what tech, what do we need? What do we need to quickly apply to our function? And even here at GAM, lots of conversation around AI, lots of conversations around technology, but you need to think about the assumptions that need to be unlearned in order to be successful with the technology. And the first assumption that I would think about is what's the product?
00:05:02 Jess Rodgers
And I think where one of the assumptions, one of the mistakes is that the audit plan is the product. That is really an input. The product should be organizational confidence, the ability of leaders to be able to make decisions with greater clarity, greater confidence,
00:05:21 Jess Rodgers
based on the work that audit teams are doing, because audit teams are anchoring their identity, they're not anchoring it to the audit plan. They're not protecting the plan. They're making sure that the audit plan is pointing to what matters most. Second, that findings are wins. How many times are we saying,
00:05:42 Jess Rodgers
audit functions, being proud of the number of findings that they have, almost like a sales team, is proud of the activity that they have. The number of findings is inherently not valuable. It's really looking at the change that you're driving. You know, having a finding that's showing up four years in a row is organizational noise, and that's not going to drive impact per se. And then lastly is, and I think that this really drives damage
00:06:12 Jess Rodgers
for an internal audit function is that independence requires distance. Internal audit needs to have the courage to step into the challenging conversations. Independence, your independence is exactly why we need to be in the tough conversations and to be providing our thoughts and perspectives. It doesn't impact our independence or objectivity. It's exactly why we need to be at the tough conversations right now.
00:06:39 Erin Banet
Where do leaders tend to underestimate the mindset shift required for transformation?
00:06:44 Jess Rodgers
This is an interesting question, and I do think maybe I have a bit of a different view. One of the personal, I think there's a personal aspect that doesn't get addressed in this area, and everyone thinks about it in terms of organizational, the tools, the skills, the processes, and all of those matter. I'm not going to say that they don't, but for many experienced
00:07:08 Jess Rodgers
internal audit professionals, we've always been taught about rigor, our documentation, our comprehensive audit plan, findings with root cause analysis, the management action plans, and we've earned this concept of rigor over years and years of practice.
00:07:25 Jess Rodgers
And that isn't something that's going to be easily given up. And in the world we are now living in, there's new models being introduced where it's real-time risk intelligence, it's rapid cycle insights, continuous monitoring, continuous conversations.
00:07:42 Jess Rodgers
And it can almost feel like you're being asked to lower your standards. You're giving up this rigor. It feels different. And it almost feels a bit like loss. And I do think that there's an emotional struggle with that needs to be acknowledged.
00:07:57 Jess Rodgers
and addressed. And so I think that that's one angle that I think folks aren't acknowledging and addressing, because that can end up slowing things down when you need to be accelerating. The second place is definitely the talent dimension and how are we looking at our teams that do we have the right folks that can operate
00:08:18 Jess Rodgers
in a world of ambiguity, we're not always going to have the full picture now. And how do we make sure we have the right teams that can operate with confidence, being able to help our leaders make decisions with confidence when maybe we don't have the full picture? And that's something that are we going to add additional investment to get people to that place? Or do we need to, you know, consider that when we're hiring?
00:08:44 Erin Banet
Can you share an example of an organization beginning the shift from traditional
00:08:48 Erin Banet
a list to strategist.
00:08:50 Jess Rodgers
One example that I had that I thought was quite impactful, and it's not going to start with technology, I absolutely loved it. A new CAE came in, and it was really a listening exercise. She came into this organization, she took a step back, and before she touched the audit plan, before she touched or even considered taking any action, she had spent her first 30 days
00:09:16 Jess Rodgers
and quite a few structured conversations across the C-suite, the audit committee chair, and it wasn't about pitching the value of internal audit, internal audits capabilities, but to truly listen, what does the C-suite need, what does the C-suite want, and what were they not getting, and what could be done differently? And what she consistently heard from all of the stakeholders was some sort of variation was,
00:09:43 Jess Rodgers
We're making decisions at such an incredibly rapid pace that we've never had to do before. We need someone to help us think through what we're not seeing, not someone who's going to come in after the fact and play Monday morning quarterback and tell us something six weeks later that we missed. And the feedback, this feedback was something that was really her charter for transformation. And
00:10:09 Jess Rodgers
What she did was she didn't announce this big, okay, now I have all this information. Now I'm going to announce this big transformation program. But what she did was she picked one strategic initiative and piloted a whole different way of working, a new rapid risk assessment, how to engage differently with stakeholders. And she laid out this
00:10:30 Jess Rodgers
groundwork for this one pilot, how to work differently. Let's test it out once, have a proof of concept. It went over really well, but what she did is she built an advocate. And she built, when she reported it to the audit committee chair, she reported to the C-suite, she now laid a foundation for what comes next. And I think having that credibility, the advocacy, that proof of concept,
00:10:56 Jess Rodgers
really laid a nice groundwork for all the changes she did need to make and what came next. So I thought it was a really nice way to get that flywheel going for the change she needed to drive. So she created a really, really cool proof point.
00:11:10 Erin Banet
That sounds like a great story. Where have you seen traditional approaches fail to meet leadership needs?
00:11:18 Jess Rodgers
I think it's the latency gap, what I would think about. And that's the distance between when a risk crystallizes and when leadership is hearing about it from internal audit. In a traditional model, that gap tends to be structural. Internal audit plans are set annually. Fieldwork can take weeks, sometimes months. Reporting then takes more weeks.
00:11:40 Jess Rodgers
hopefully not months. And by the time the finding is landing on someone's desk, that organization has been living with the risk for quite some time by then. And then the second failure point is, let's talk about communication, the traditional audit reports. They are really, truly written for documentation purposes, for completeness purposes. And they're establishing whether or not a control did it exist, did it not, a finding was identified.
00:12:07 Jess Rodgers
management responded. They're not truly written to help the C-suite make a decision. They're the language, the length, the structure, it's all optimized, as I said, for completeness. And they aren't useful or as useful anymore. So in a world where executives have to move on the fly, make decisions with confidence, is our communication
00:12:32 Jess Rodgers
helpful or are we creating additional obstacles? I've seen audit reports that can be upwards of 40 pages.
00:12:40 Jess Rodgers
from some clients and we really need to take a step back and how can we do things differently to have these, our insights be truly helpful in creating the confidence in making decisions, relevance, timely, and then, certainly how we're presenting information.
00:12:58 Jess Rodgers
And then lastly, the siloed audit universes are, certainly interesting. New risks are emerging at the intersection. So conducting audits in silos, not talking and not looking for where there could be new issues that come, risks at the intersection, where, you know, if we're auditing everything separately, if teams aren't talking, if we're auditing cyber, if then we're ordering third party,
00:13:26 Jess Rodgers
operational, in separately, they're all conducted soundly, but you run the risk of missing something bigger if, you're not thinking differently.
00:13:36 Erin Banet
How does a risk strategist measure success differently from a traditional internal audit function?
00:13:42 Jess Rodgers
Metrics come up a lot. I'm sure everyone's taught, you know, from time to time, folks are revisiting metrics.
00:13:49 Jess Rodgers
Metrics is probably one of the most revealing tests about how folks are adding value. A traditional list is going to measure some of the typical, how many findings, how days to issuance, number of reports, just the very basic to tell you is the machine running, not if the machine's pointed in the right direction. But it's really, those really, I don't think are inherently helpful to tell you the value that the function's adding.
00:14:19 Jess Rodgers
A risk strategist is going to measure different things. They're going to look at stakeholder perception. And those are the true structured surveys, the periodic surveys that are going to ask leadership very direct questions. Going to ask questions such, is internal audit surfacing issues that you aren't already aware of? Are you proactively bringing
00:14:42 Jess Rodgers
internal audit into the strategic conversations? Is the function making you confident in your decisions that you need to make? They're also going to measure, and this is a tough one to measure, so I'm not going to say it's an easy one, emerging risk identification. Is internal audit identifying risks before they truly materialize? And then lastly, talent outcomes. Are folks
00:15:07 Jess Rodgers
Our high-performing folks outside the business wanting to come through internal audit, and then our folks with an internal audit going out into the business taking on senior business roles, business leader roles. I think looking through that is all those 3 dimensions are really important and say a lot about the value of internal audit.
00:15:27 Erin Banet
What does decision velocity look like in practice for internal audit teams?
00:15:32 Jess Rodgers
So I think that this is really exciting because we have an opportunity now with all of the technology to really look at things differently. And because leaders are being asked to commit a lot of capital now and to market launched products and the regulatory changes, everything is moving at an unprecedented change. We need to be able to serve as navigators and help them through all of this.
00:15:59 Jess Rodgers
The rapid risk assessment capabilities is 1 area. So being able to conduct 30-day sprints or quicker sprints and be able to really focus on some strategic decisions and be able to help and provide quicker insights around that decision to help them think that through and be at the table for that, I think is really important, whether it's a merger, an AI deployment,
00:16:26 Jess Rodgers
enter into a new market. And this isn't a full audit. It's A targeted insight delivered fast. And when the decision is still in play, that's a different value proposition. Then again, coming in after the fact and telling leadership what they may have missed and when it's too late. And it's quite frankly, too costly for the organization. The last, another one, continuous monitoring.
00:16:49 Jess Rodgers
Being a function that tells them what's happening now versus what's coming or after the fact, being a transformative function really helps how internal audit is perceived. And again, I would reiterate on the communication redesign, leveraging two-page insight memos where you can as a result of continuous monitoring, your rapid risk assessments.
00:17:13 Jess Rodgers
I think really being that help, that navigator versus the historian in a traditionalist function to help with the confidence in decision-making is a game changer.
00:17:25 Erin Banet
Where do internal audit leaders most commonly get stuck when trying to evolve their functions?
00:17:30 Jess Rodgers
There's a few. The first one I'd say is strategic ambiguity. I see way too many functions waiting for permission to change.
00:17:39 Jess Rodgers
I don't think a CAE should wait for permission because that perfect permission might not come and strategic functions just go for it. They don't wait for the permission to change the model. They move and they operate, they start operating differently. They demonstrate their strategic value and earn the expanded mandate through their performance. So not waiting for that permission to be more strategic.
00:18:04 Jess Rodgers
Second would be the team capability trap. They would one excuse ICCAEs, they don't have the team with the right capabilities. But on one hand, you build the capabilities through the stretch assignments, through getting your teams up to speed, through the upskilling, through pushing your teams.
00:18:22 Jess Rodgers
The technical skills can be taught. Giving the folks the right opportunities for that, I think is really important. You can bring in a co-source partner. You can, you know, to maybe for some of those really technical areas, but capabilities are built through stretch assignments. You're never probably going to have the perfect team. So saying you don't have the right team is going to really slow you down and you're probably not going to get to that strategic function.
00:18:49 Jess Rodgers
And then thirdly would be the culture gap. What leaders say they value, what their vision is, and then how are they actually spending their time. So if they say they have this grand strategic vision, but then they are spending their time buried in some of the traditionalist.
00:19:07 Jess Rodgers
functions and spending, from 9:00 to 5:00 their entire day, whether they're, certainly in status updates, audit plan reviews, and they're not living what they're saying, I think that also hinders, moving towards a strategic function.
00:19:23 Erin Banet
What is 1 meaningful change leaders could make in the next 6 to 12 months to signal real progress?
00:19:31 Jess Rodgers
So 1 meaningful change, and I think 1 takeaway would be
00:19:35 Jess Rodgers
It sounds small, but I think it can grow and get things started would be to pick one stakeholder relationship and focus on one to start and redesign it. Pick one of your most important ones, whether it be a C-suite member or even the audit committee chair, and focus on changing the nature of engagement. Not the frequency of meeting, but really the true nature, because it's going to tell you a few things.
00:20:00 Jess Rodgers
Right now, your engagement with that individual could center around more status updates.
00:20:05 Jess Rodgers
And I see a lot of CAEs are providing, I meet with the audit committee chair, I provide them an update with where our plan is, what findings, what we're seeing out there.
00:20:14 Jess Rodgers
And it really doesn't feel strategic.
00:20:16 Jess Rodgers
It doesn't feel that it's adding too much value.
00:20:19 Jess Rodgers
But what you can do to transform that engagement is to flip it a bit.
00:20:24 Jess Rodgers
Here's what we're seeing in the environment.
00:20:26 Jess Rodgers
Here's what we're hearing.
00:20:27 Jess Rodgers
Here's what we think the organization and what you could
00:20:30 Jess Rodgers
asking or watching out for, and here's what we'd recommend focusing on next.
00:20:35 Jess Rodgers
And here's what we need from you to be more useful as a function.
00:20:39 Jess Rodgers
And what this is going to tell you is also going to tell you what leadership actually wants from you.
00:20:46 Jess Rodgers
Do they value a strategic function?
00:20:48 Jess Rodgers
Are they still thinking that you should be a traditionalist function?
00:20:52 Jess Rodgers
So it can give you also insights into your next play, into your next move, and
00:20:58 Jess Rodgers
how to drive and how to steer into being a more strategic function.
00:21:03 Jess Rodgers
So I think being thoughtful, being intentional and taking that very thoughtful and intentional step to just start with changing one relationship and then moving on to others, I think that would be really important because if you try to change everything at once, you risk not changing anything.
00:21:22 Erin Banet
What advice would you give chief audit executives navigating this transition today?
00:21:27 Jess Rodgers
Everyone's talking about different technologies.
00:21:29 Jess Rodgers
Everyone's talking about the changing environment.
00:21:32 Jess Rodgers
So I would sense that there might be feelings of overwhelm.
00:21:37 Jess Rodgers
What do I need to do?
00:21:39 Jess Rodgers
Everything I'm taking back to my teams.
00:21:41 Jess Rodgers
I'm not going to lie, the work is hard, but it's not conceptually hard.
00:21:45 Jess Rodgers
I think that there's a direction of travel, progressing to being more forward-looking with more foresight, speeding, being able to provide directional clarity to leadership.
00:21:56 Jess Rodgers
But
00:21:57 Jess Rodgers
I do think, giving yourself a bit of grace, during the transition, moving from traditional to a strategic function is probably the biggest piece of advice I would give, because it's not linear.
00:22:10 Jess Rodgers
You're going to have 1/4 where things are going great, you're making progress, you're feeling...
00:22:14 Jess Rodgers
awesome, the team's moving, but then there's going to be some periods where, okay, it might feel like you're taking a step back, but you're really still progressing forward.
00:22:24 Jess Rodgers
I would also say building your advocates and your coalition before you need it.
00:22:29 Jess Rodgers
Too many folks are engaging with business leaders, C-suites, only when there's an audit or a need, but building those relationships
00:22:38 Jess Rodgers
outside of the audit is really important.
00:22:40 Jess Rodgers
And making sure you're engaging with the stakeholders, the business leaders throughout the year is really important.
00:22:46 Jess Rodgers
And then don't lose your voice.
00:22:48 Jess Rodgers
It's easy when things are going well to, you know, be there, have your voice, but have the courage to get into the strategic conversations and don't use your independence as an excuse to not be at the table, to have the courage to be at the strategic conversations.
00:23:06 Erin Banet
So Jess, coming from a background of internal audit and having an internal audit team, how do I think about getting people on my team that maybe have been more rigid to become more of that strategist and really want to be taking more of that agile approach to internal audit that you've described?
00:23:22 Jess Rodgers
So from my perspective, you have to find the folks that are going to be your champions, that are excited for change, that are interested in change.
00:23:30 Jess Rodgers
Because what that's going to do as a first step is they are going to have the energy, they're going to make the changes, and then I think pique the curiosity of the folks that have been hesitant or more rigid to the change.
00:23:44 Jess Rodgers
So you're going to get the curiosity peaked.
00:23:46 Jess Rodgers
You're going to start driving the change.
00:23:48 Jess Rodgers
The wheels are going to get in motion.
00:23:50 Jess Rodgers
But then what I've also seen on the backside of what's really helpful is as you're making the changes, telling the stories of the wins.
00:23:58 Jess Rodgers
when having the business come in and say, to whether it be town halls or team meetings, share those stories of how they've used the new reporting, the new ways of working to their benefit to drive confidence in their decision-making, because there's no better way for the folks that may be hesitant in making the change to see the value that this new way is really helping the business, the organization,
00:24:28 Jess Rodgers
move forward in this new time, that this new world is not going, it's not going back.
00:24:33 Jess Rodgers
This is a new norm.
00:24:34 Jess Rodgers
So that would be my suggestion.
00:24:36 Erin Banet
This has been great.
00:24:37 Erin Banet
As a chief audit and risk officer, you've taught me a lot today as well and a lot of things to think about.
00:24:43 Jess Rodgers
Thank you, Erin.
00:24:43 Jess Rodgers
This has been absolute an honor and a privilege.
00:24:46 Jess Rodgers
I have a tremendous amount of respect for you.
00:24:48 Jess Rodgers
I know you and it's been great to have you in particular interview me.
00:24:52 Jess Rodgers
So thank you.
00:24:55 The IIA
If you like this podcast, please subscribe and rate us.
00:24:58 The IIA
You can subscribe wherever you get your podcasts.
00:25:00 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:25:05 The IIA
That's T-H-E-I-I-A dot O-R-G.
