Selecting a Chief Internal Auditor is an art with big pay-offs

Available on LinkedIn, are comprehensive job descriptions (JD) for Chief Internal Auditor (CIA). The CIA is a departmental head position, an enterprise level officer and fitting into the JD may not be the only yardstick, especially where there is an external candidate. The challenge is to hire a candidate who is ‘fit-for-purpose’ for your organization.

For identifying a candidate who is fit for purpose, we can get it right the first time or through iterations. By writing a detailed note of our expectations, beyond what normally goes into a JD, we improve the probability of a succesful selection process.

A few suggestions on what may go into this ‘expectation note’ is mentioned below.

Before we start, the concept of an enterprise level officer needs to be well understood. They have a pivotal role in adding to the hands of the CEO & the leadership team. Success/failure in meeting enterprise objectives can be significantly improved if there is a well-meshed enterprise team. Hence it helps to have the incoming incumbent meet the enterprise team & the AC Chair/ AC Committee before releasing the appointment letter.

Usually, the selection criteria would include

1.?????Industry knowledge

2.????Technical knowledge

3.????Soft skills

In addition to this, suggest evaluating additional aspects of the candidate profile

1.?????Relavant cultural experience

2.????Skill in preparing a mid-term internal audit strategy

3.????An inclination towards developing a digital mindset

4.????Being current on the technical-basics of internal audit

5. A bias for personal value addition

Relavant cultural experience

A common consideration is whether candidate has worked at the same industry. A step down to this specification is to look at similar industries. So, if production is a key value proposition and the business is of a process industry then getting someone with discrete manufacturing experience does not help. Further, within the industry/ similar industries we may look at additional experience, so if e-commerce segment is a focus in retail, then this addon experience while hiring a CIA for a retail company should be in the checklist. ?For e.g., a neo-Bank startup would look for internal audit experience in banking & fintech.

The CIA has a significant interactive role with different levels of the organization and there is an acceptance phase. For a quick start, candidate with prior knowledge & well acquainted with the entity’s business culture could prove useful to shorten this acceptance phase. This is more applicable to entities with deep-rooted organizational culture as traditional business groups, MNC, large professional firms, etc. – unless there is a justification to take an industry outsider (and sometimes there is) along with willingness to invest 10-12 months on the CIAs acceptance & learning curve. Another aspect is to be aware of the candidate’s likely working style. Those of us who have had a pan-India role are aware of the variedness in working style across different regions even for the same organization. However, this may not be applicable to New-age businesses as start-ups or even IT companies.

Skill in preparing a mid-term internal audit strategy

Internal audit provides two services in GRC, viz assurance & consulting. For entities that are in tough environment/industry that are highly regulated, opaque trade practices, complicated/partly structured markets, etc. here assurance is usually understood as the main requirement. Delivering a view on the GRC effectiveness level is only a partial step in the internal audit’s value proposition. Organising/ participating in control assessment workshops, ethics training, designing predictive controls, creating awareness of upcoming digital process in the trade, etc. which are normally seen as the consulting part of internal audit are equally important to improve the GRC effectiveness level. Hence the incumbent’s ability/skills to prepare mid-term internal audit strategy in consultation with the CRO & other assurance providers - needs to be tested at the interview stage.

An inclination towards developing a digital mindset

The pace of digital adaption at large entities has a high velocity, so unless the candidate is a digital native (i.e., under 35 years), the incumbent’s mindset on learning digital, needs to be tested. Personal digital learning maturity is reflected through an inclination to continuous professional education (CPE) , e.g., taking online courses on areas of topical interest as cybersecurity, blockchain, RPA, e-commerce, javascript, IOT, etc.

Being current on the technical basics of internal audit

Many a times, departmental managers get overtly obsessed on administration activities - resource availability & training, communication, planning, directing etc. at the cost of remaining current with the technical-basics of internal audit. In order to command respect of their team and to add strategic value, the CIA needs to be current on the technical-basics of internal audit, as

·???????Automation of the Internal audit process & data analytics

·???????Current practices in fraud assessment & related audit procedures

·??????Current practices in?IT risk assessment & related audit procedures

A bias for personal value-addition

A mindset of personal value-addition is crucial. An area to take up accountability is providing insightful information when a new management activity is being introduced. I have seen in the past CIAs who have left a mark in their organisations by becoming the go-to person for information on that area till the activity requires a full fledged enterprise officer. Around three decades ago it was to be the go-to person on data analytics. I remember speaking to a legendary internal auditor who was working at a retail chain major. He said that he became the go-to person on data analytics & during this time business managers used to regularly call up for information & discussion. After that getting internal audit information from them was a breeze (there is a typical complaint of auditors that the auditee witholds information or gives it late). Around a decade ago it was managing the risk register and now it is probably maintaining the the innovation register.

Keeping fit-for-purpose as the loadestone

At times, as per company policy there are age limits. There are also mavericks who have worked across multiple industries, time zones, etc. Are they over-qualified? Should we go strictly by company policy? At times it does help to use a highly experienced CIA for a couple of years to rebuild the internal audit function and train a successor. If there is any general guidance to give, my preference is engaging a thinking person on internal audit rather than a compliance mind-set. Removing other criteria and keeping in focus the fit-for-purpose criteria does make decision-making simple.

The payoffs in engaging a competent & effective CIA are substantial and Indian internal auditors are increasingly making their mark. ?For e.g. there are growing instances of global companies making India as the APAC hub for internal audit.

The starting point is investing time on the expectation note and in my view this activity should pay rich dividends,