Deloitte Africa's Rushdi Solomons on rethinking internal audit
The CFO must rely on a tech-enabled, data-enabled and business-savvy internal audit function, he says.
Rushdi Solomons heads up internal audit services for Deloitte Africa. He believes that internal audit is a function which can add immense value beyond the “tick box” reputation that perhaps still persists. But, he admits, that’s a view he had to come around to over time.
A CA by training, Rushdi took the “traditional route” at the start of his career. He quickly realised, however, that he wanted to contribute to more than the “financial bottom line”. He joined the Auditor-General (AG) of South Africa, where he was involved in a team that focused on value for money within the service delivery functions of broader government – essentially, how government can really make a difference and have real impact on the lives of citizens.
From here, he was attracted by Deloitte because of their advisory focus in both private and public institutions driven by the purpose of “making an impact that matters”. He took the leap and joined Deloitte in the Risk Advisory business, quickly working his way up to heading the internal audit unit.
The career shift came with some self-initiated training, including a Certified Internal Auditor qualification. Here, the true definition of this function was really drilled home for him. “Internal audit is so misunderstood,” he says, “It is an independent objective assurance and consulting/advisory activity, primarily designed to add value and improve an organisation's operations. We can advise businesses on how to improve their organisations – and that's the area in which internal audit can really prove its worth but is not used very often. Management and particularly boards default to just the assurance mandate.”
Fixing the “broken” triangle
Rushdi believes that the internal audit activity functions best as one point of a triangle, along with the CFO and the audit committee or board. “But the triangle is often a broken one,” he says, “and internal audit can be disempowered by a short-sighted committee or CFO. If you’re hindered in this role, with a directive to focus only on internal financial controls assurance and nothing to either side of that spectrum, it diminishes the value of the function.”
When the triangle works best, Rushdi says, internal audit is able to balance the aspects of value protection and value creation. “This is the role that the internal audit of the future will be well placed to play. Internal audit will position themselves as the instrumental supporter of a ‘purple CFO’.”
A so-called purple person – a concept defined by business intelligence thought leader Wayne Eckerson in 2010 – is one who possesses that in-demand mix of both business sense and technology skills. Rushdi believes that CFOs will increasingly need to be or become purple persons, and that internal audit functions should be shooting for that mix too.
“Becoming this is a journey that the CFO should be on. And in that journey, the CFO has to rely on an internal audit function that is also tech-enabled, data-enabled, and business-savvy. With all the things a CFO has to deal with, this might not be top of the agenda, but it should be part of a plan for the future.”
Rushdi says that tech is already fundamentally shifting both the day-to-day business, and internal audit function. Machine learning, artificial intelligence (AI) and data analytics mean that auditors can crunch through large sample sizes (even full populations), be more proactive in spotting inconsistencies that could point to risk, and essentially audit by exception. “With continuous controls monitoring and assurance, the internal audit function is more insightful, and we are able not just to see trends but predict them and understand them. Spend analytics reveals the true behaviour of transactions in your business, beyond the processes that are designed to govern behaviour. Using data analytics quite extensively to support internal audit, the CFOs, and management teams are no longer ‘nice to haves’ but ‘table stakes’ for us. AI, robotics, machine learning, and other elements of the fourth industrial revolution including crowdsourcing, are also not ten years away but are already implemented in part or as pilots.”
In essence, he argues, this data boom is shifting internal audit beyond seeing control gaps and deficiencies, and towards being truly value-adding business advisors – in addition to the risk lens that it already applies to the business. With a solid relationship in place between internal audit and the CFO, this creates possibilities to be more agile, and to grow the business with full view of the value chain across the business.
“Where I’ve seen this work best is with CFOs that have an appreciation for the full landscape of risk, and how the world has changed. They appreciate having as many individuals as possible having the necessary conversations and looking out for the business. Once they see the scope and breadth of the internal audit function, they expect the internal auditors to walk that journey with them.”
“Some CFOs actually say internal audit should be able to provide a return on their investment. Be it an in-house function or an outsourced function, they should be able to pay for themselves in perhaps how they help save the business money, or how they provided for operational efficiencies, or even how they enhance the way in which the business is doing things and unlocking opportunities."
A typical example, Rushdi says, will be picking up deficiencies in the contract management system, and being able to engage with the CFO on what better systems there are in the market and what functions this needs to fulfil. Thereafter, however, it’s up to the business. Internal audit can’t make management decisions.
“This means walking a clear but fine line, because you always need to be independent and objective. But you need to ensure that when you're doing reviews, you're doing it from the perspective of how you're going to help the business.”
This article first appeared in CFO Magazine.