Top auditors at Cisco, Google, and LinkedIn employ innovative practices to meet the demands of their clients ever-changing environments.

Transcription

1 Tim McCollum Top auditors at Cisco, Google, and LinkedIn employ innovative practices to meet the demands of their clients ever-changing environments. 30 Internal Auditor

2 technology Auditing at the speed of technology No annual audit plan. No formal audit reports. Reporting findings as software bugs. These ideas and more created considerable buzz among a capacity crowd of audit executives during a recent panel at The IIA s General Audit Management conference in Orlando. Thinking outside the box amid constant change is business as usual at Silicon Valley s most innovative companies, where the mind-set is that they are transforming the world. Lisa Lee, Google s director of internal audit, says the company encourages employees to be uncomfortably excited about what they do. You can only do that if you re challenging the status quo and looking at things differently, she says. Lee and her internal audit peers at the world s top technology and Internet companies work in organizations that are perpetual change initiatives. For them, internal audit must adapt to the rapid pace and make new assumptions about how to treat risks and provide assurance. And auditors must come up with their own innovations, as well. Internal Auditor 31

3 Auditing at the Speed of Technology If the house is burning, you re not helping anyone by standing on the sidelines and reporting that the house is burning. Lisa Lee Problem-solving For Lee, leading the audit team at Google means working in an environment of organized chaos. That was quite an adjustment for her following stints with KPMG, SAP Consulting, Cisco, and OpenTV where the pace of change and rate of growth were different. When you first come in, you re not only learning Google s processes and products, but also adapting to the culture and the way we do business, says Lee, who joined the company in That s like drinking from a fire hose. To adapt, auditors must be as forward-looking as the rest of the company, she says. That sometimes requires members of her 40-person team to revise their assumptions about risk and their role in addressing it. The biggest difference is how Google takes on risk, Lee explains. The company s drive to create world-changing products and services doesn t really coincide very well with being risk averse. At Google, risk management isn t about eliminating risk it s about managing it and focusing on its upside. Google s risk universe involves the same financial, regulatory compliance, and operational risks that other companies face, but the company also faces risks arising from the disruptive technologies it develops. Those on Lee s team have to be aware that their risk recommendations can have huge opportunity costs for the company. Most organizations tend to be more risk averse, and try to mitigate risk rather than considering whether they can live with a risk if it conflicts with business objectives, she says. Google being in the space of developing revolutionary products, there have to be risks that we re not going to know, and we have to be okay with that. Working in an idea factory, Lee bases internal audit s work on Google s initiatives. Google is constantly developing new technologies: most recently Google Glass and a project to create self-driving cars. For each of these initiatives, the audit team asks the business unit about its objectives, the processes involved, and the risks to achieving success. As the initiative is being implemented, the team may become more of an adviser, suggesting options for managing risks. That requires more of a collaborative, problem-solving approach to audit, with an emphasis on no surprises, Lee says. If the house is burning, you re not helping anyone by standing on the sidelines and reporting that the house is burning, she asserts. What you can do is help identify alternatives to put out the fire. The 30-year-old Startup The adjustment that Lee went through at Google, Tom Austin is going through now. Austin joined networking equipment company Cisco Systems Inc. last year as vice president of governance, risk, and control, overseeing 50 internal auditors working around the globe. While hardly radical, Cisco s culture is more sales-driven and consensus-oriented than the operations-oriented culture at his previous company, semiconductor equipment manufacturer Applied Materials Inc. It s a challenge to understand how I can be most effective in that culture, Austin admits. I didn t appreciate it fully until I realized it was going to take a different approach. Although Cisco is an established company, he says it still acts as if it is a startup. Lately, though, it has recruited executives like Austin to help it establish better business processes as it matures. Austin has been educating managers about internal controls. You need to get higher efficiency out of the company as it matures, he explains, and the way to do that is to get more discipline around your processes. Getting its processes under control is becoming even more important as Cisco makes a seismic change in its 32 Internal Auditor

4 Visit our mobile app to view a discussion with Cisco s Tom Austin and Google s Lisa Lee. business model. The company recently announced it will invest US $1 billion to develop a cloud service business over the next two years. Instead of selling stand-alone routers and switches, as well as video- and Web conferencing, Cisco will provide these solutions as a service. If the vision of the company is to move into the cloud, the challenge for internal audit is how does the company do that? Austin says. Becoming a solutions provider raises new risks especially around data security. Another problem is that Cisco s sales force, infrastructure, and processes all revolve around manufacturing and sales, rather than providing solutions. We ll look at different processes that have been put in place for the new business model and try to assess whether we are set up right, Austin explains. A Sense of Urgency Compared to Cisco and Google, LinkedIn is a smaller, up-and-coming company, but it s no longer a startup. Now publicly listed, the social networking company remains in a startup-like growth mode. The pace is fast, with a tremendous sense of urgency, says Inder Gulati, LinkedIn s head of internal audit, who joined the company in 2011 to help establish the internal audit function after working at Visa and PricewaterhouseCoopers. The expectations from internal audit s stakeholders are primarily focused on value add, he notes. For Gulati s 12-auditor department, that translates into working closely with management and business units to establish processes, controls, and systems that can scale up as the company s operations expand globally. For example, when LinkedIn launches in a new country, internal audit must understand the technology involved, the legal and compliance requirements, the financial guidelines, and other issues specific to that market. It is critical to have a good understanding of the business and to have a good understanding of what can go wrong, he explains. Equally important for internal audit is having strong relationships with stakeholders and providing a healthy balance of assurance and advisory services, Gulati says. Internal audit also works closely with the audit committee to continuously monitor risk and address problems. We keep revisiting our focus areas to mitigate risk in real time, he says. That means we are providing support to the business when and where it really matters to them. To Plan or Not to Plan Which brings us back to the general session in Orlando where Gulati and Lee told the audience that they didn t have an annual audit plan. Gulati says annual plans can t keep up. Since the business is changing so fast, it is difficult to finalize the internal audit plan for the entire year, he observes. Instead, LinkedIn s internal audit department consults with management and the business units to identify risks and other issues and then determines the audit projects for the next quarter. Those audits need to align closely with LinkedIn s strategic objectives, he says. Although Google s internal audit team doesn t have an annual plan, Lee is quick to say that there is some structure. It s not that we don t plan, she explains. It s more of an adaptive plan. Lee has a running list of potential audits, but actual planning is done continuously, guided by core risk themes. Each quarter, Lee and her team evaluate Google s various initiatives and consult with management to select the ones that need attention. But because things are constantly changing, internal audit also must be flexible enough to deal with issues that suddenly become a priority. Audit planning is particularly complicated at Cisco, which is a highly complex, matrixed organization with different operating divisions and national You need to get higher efficiency out of the company as it matures, and the way to do that is to get more discipline around your processes. Tom Austin It is critical to have a good understanding of the business and to have a good understanding of what could go wrong. Inder Gulati Internal Auditor 33

5 Information technology ranks as one of the top five priorities for audit committees and executive management, according to The IIA s March 2014 Pulse of the Profession Survey. operations in 160 countries. Even with a large audit team, it s impossible to audit everything, Austin says. Unlike LinkedIn and Google, Cisco does have an annual audit plan, but Austin revises it quarterly. The department performs six audits per quarter each lasting about 13 weeks including 10 regional audits each year. Being selective leaves room for the department to take on consulting projects such as providing design reviews on new processes, systems, or applications, and addressing broader control issues raised by internal investigations. Something is going to come up, and we ll want to be at the table to support the business, Austin says. We just don t know what that is yet. Audit Innovators While auditors must adapt to changes at innovative companies, they re also bringing innovations of their own. As expected, these departments make heavy use of technology. At Cisco, IT is integrated into all internal audits. The department s forensics team has developed its own data analytics application, which looks at correlations in data from various company sources, such as travel, expense reporting, human resources, and procurement applications. The audit team looks for anomalies in the data, such as people filing expense reports while they are on vacation, or gross margins in a quoteto-collect application that are below the threshold that should have required approval. What s great about data is you can sample 100 percent of the population, Austin says. Now I can target sample the population in areas where I see anomalies and see where there might be problems, and then understand whether they are systemic for that type of transaction. Likewise, Google s internal audit department leverages its own IT knowledge as well as taking advantage of the built-in expertise within the company. Data is everything at Google, Lee notes. Audit clients want to see the data to make a decision. It s in their DNA. Auditors at Google need to be able to work closely with clients who are engineers building highly technical systems and must have the expertise to understand their software code. You need to have that depth of knowledge to have a conversation with them and be able to trust, but verify, and challenge a position they ve taken, she says. Getting the Bugs Out Internal audit s most unique innovation at Google is audit reporting. Previously, auditors submitted stand-alone reports of their findings, but they found that business units would have to reconcile the findings and add them to their own to-do lists. But engineers at Google, like most technology companies, are used to addressing problems or making requests by filing automated bug reports. Two years ago, Google s IT audit team suggested using bug reports to point out audit findings. The bug system communicates findings to the business unit and sends automated reminders that the problem is still outstanding. The biggest benefits are timeliness and using an existing work prioritization tool. As soon as an issue was identified, you logged it, Lee explains. You didn t have to wait for a report, and process owners didn t have to manage a separate list of requests. The success of the bug reports has led Lee s team to question the value of traditional audit reports. Until recently, internal audit still produced a full report and supplemented it with a presentation to the audit committee, management, or business unit. Lee suspects most relied on the presentation, rather than reading the full report. So, her team is experimenting with producing a one-page summary While auditors must adapt to changes at innovative companies, they re also bringing innovations of their own. report in lieu of the formal report. I don t believe people really care about what we did during the audit they care about the outcome, she asserts. It gets back to value spending your time on the most valuable things and giving people information they care about. That approach is similar to the concise, easy-to-understand approach LinkedIn already uses to communicate its findings. That way the business really understands the issues with clear, actionable items, Gulati says. The objective is to provide the information that matters most to the client. Although Cisco s Austin and his team continue to produce traditional audit reports, they use the reporting process to communicate broader lessons to the company as a whole. Due to Cisco s size, individual business units may go a long time between audits, but audit findings and recommendations in one area may be applicable to other operations within the company. That can have a bigger impact, Austin explains. If I can identify a trend or common root cause, I can make people aware of it so they can solve it where they are, he says. That approach to reporting is just part of his team s more comprehensive strategy to keep business units and other audit stakeholders involved throughout Internal Auditor 35

6 Auditing at the Speed of Technology the audit process. One way they do this is by having touch points and ongoing meetings with counterparts in operational areas of the business. This gives internal audit the information it career auditors internal control and financial know-how and the rotational auditors knowledge of operations. You need a well-rounded team, Austin says. I don t profess that we re Reporting is one example of how being open to new ideas can help auditors succeed at fast-changing companies. To comment on this article, the author at tim.mccollum@ theiia.org needs to scope its audits, keeps clients informed of the department s ongoing audit and consulting work, and widens the benefits of audit findings. The whole process involves a lot more interaction with the auditee, Austin says. What It Takes to Succeed Reporting is one example of how being open to new ideas and coming up with their own can help internal auditors succeed at fast-changing companies. Success requires the right mix of skills and insight, too. Gulati says that LinkedIn is all about transforming your professional experience and that goes for its auditors, too. The department is set up along eight areas: risk management, transformation initiatives, process and controls excellence, internal audits and investigations, country audits and compliance reviews, compliance monitoring, continuous control monitoring, and compliance with the U.S. Sarbanes-Oxley Act of Collectively, the department has experience in all these areas. We supplement our resource needs for specific projects with advisory services from accounting firms, Gulati says. At Cisco, the audit team is a mix of career auditors and professionals from other parts of the business. Austin says everyone brings different expertise to audits the experts in any area. We know enough about everything to be effective. Google s audit department has been a big exporter of talent to the business, which helps the auditors careers and brings business insight to the team when practitioners return. It helps the company, too. You re effectively developing a larger control environment, Lee asserts. To be effective, Google s auditors must be problem-solvers, good listeners, able to navigate ambiguity, and scrappy, Lee says. We want people who roll up their sleeves and figure out what needs to be done. Being scrappy comes in handy when dealing with audit clients who may see internal audit as an obstacle. Lee recalls a client who was struggling to understand the importance of a risk issue she was communicating. The conversation changed when she told the client, I feel just as responsible for this issue as you do. Lee explains. The conversation became more about let s talk about why, as opposed to You re criticizing what I do. Ultimately, the lesson here is that internal audit is on the same team as the rest of the company, Lee says. That way of thinking can break down a lot of barriers and make auditors more effective in even the fastest-moving organizations. Tim McCollum is Ia s associate managing editor. 36 Internal Auditor