Diligent Q&A – Mike Levy on how internal audit is bridging the enterprise risk management gap
Mike Levy, CEO and Managing Principal of Cherry Hill Advisory and Chairman of the Board in North America for the IIA, discusses how the role of internal audit has grown as organizations navigate evolving risks.
Tell us about your roles at Cherry Hill Advisory and the Institute of Internal Auditors (IIA) and the organization's mission.
I serve as CEO and Managing Principal of Cherry Hill Advisory and Chairman of the Board for the Institute of Internal Auditors (IIA) within North America.
Cherry Hill Advisory is a leading global risk advisory firm dedicated to providing comprehensive internal audit and transformation services. Our expertise spans Cyber Risk, Operational Auditing, Emerging Risk Management, Risk Assessment, Financial Compliance, Business Transformation and Quality Assessment.
The IIA is the global association representing the internal audit profession globally. With over 250,000 members in more than 115 countries, our goal is to elevate the internal audit profession globally through standard setting, certification and education.
How has the internal audit role changed over the last five years?
Internal audit has changed dramatically over the last five years, with an ever-increasing volume of emerging risks forcing auditors to take on a heavier advisory role as they help companies navigate the changing risk landscape.
Non-financial risks, like cybersecurity or environmental, social and corporate governance (ESG), now need to be measured with the same rigor as financial risks. Yet according to a survey by Deloitte, only 34% of respondents said their company was excellent or good at measuring and tracking non-financial performance measures.
Enterprise risk management (ERM) programs are crucial to filling this gap. While ERM is considered a second line function, we often see internal audit teams tasked with doing a lot of the legwork. In this new era of risk, companies need better tools to measure non-financial risk efficiently and consistently, and connect internal audit with other vital functions across the business — like risk and legal teams.
Diligent's recent "Cybersecurity, Audit and the Board" report found that organizations with an audit committee overseeing cybersecurity had almost as high cybersecurity ratings as organizations where cybersecurity is overseen by a specialized risk committee. Why do you think that is?
Having the proper resources – people, process and technology – and strategy in place are some of the most important aspects in a successful cyber program and would result in ratings being at a high level. As the report shows, organizations that have either a risk or audit committee on their board are more likely to have advanced cybersecurity performance, and companies with neither are more likely to have basic cybersecurity performance.
Whether there is a specialized risk committee or the audit committee, I think both accomplish the task depending on the risk profile of the organization. It is more important that the members of the committee have the appropriate skill set.
The report also notes that companies with higher cybersecurity scores perform better financially, demonstrating that cybersecurity is not just an IT issue — it is an organization-wide issue that has direct impact on a company’s performance. So having audit play a role in overseeing cyber risk makes a lot of sense.
How have non-financial disclosure requirements, like the SEC's cyber and climate risk disclosure rules, changed how organizations approach internal audit?
Internal audit has always been focused on strategic, operational and technology risk but often spends a significant amount of time on financial risk topics. As the risk profiles of organizations change and additional compliance requirements begin to be layered on (i.e ESG and cyber), organizations are turning to internal audit to assess these areas which results in the scope of the internal audit function expanding.
Internal audit now plays a greater role in shaping the organization’s strategy, and practitioners increasingly need to share insights directly with the audit committee and board to elevate their understanding of key risks and opportunities.
What are your tips for boards looking to more effectively oversee climate and cybersecurity risk?
Ensuring that board training and recruitment is robust enough so that board members know what questions to ask is important, especially amidst increased pressure from regulators for boards to demonstrate oversight of cybersecurity and climate. One of the best things that boards can do now is take advantage of certifications and education that promotes literacy around things like cybersecurity and ESG, so they can more effectively oversee enterprise risk and have more productive conversations with management.
Again, boards engaging more frequently with internal audit will also put a spotlight on topics and issues which present the greatest risks to organization. Boards should ensure that resourcing is appropriate within organizations so that there is a robust internal audit function along with adequate resources in place to support the groups responsible for owning climate and cybersecurity risk.
