Advisors meet to discuss a client project at a computer

Government Contracting Chief Audit Executive (CAE) roundtable: 2021 key takeaways

The second quarterly virtual roundtable held on Sept. 29, 2021, brought together CAEs and internal audit leaders from the government contracting environment. The roundtable discussion focused on current internal audit priorities, collaboration with enterprise risk management (ERM) and compliance, changes in auditing styles and strategies in the remote work environment and other emerging risks and trends that government contractors face.

Participants highlighted topics and priority focus areas throughout the two-hour discussion. The following summarizes the session’s key takeaways.

The evolution of internal audit

Collaboration and culture
  • With a shift to a remote and/or hybrid model over the past 12-18 months, internal audit teams noted they continue to execute on flexible internal audit plans that are designed around collaborating with key stakeholders, enhancing the reputation of internal audit across the enterprise and adding value in high-priority risk areas
  • Areas of concern highlighted employee retention and the focus on building and enhancing organizational culture and collaborative efforts, which has prompted an increased emphasis on building and promoting team morale. Despite the shift in management’s philosophy, most participants pointed out that there had not been substantial changes in executing the annual internal audit plan after the initial adjustment into a remote environment
  • Participants also emphasized an increase in recognizing and highlighting their internal audit team to help foster and strengthen relationships, increase collaboration and promote communication amongst the team and across the organization
ERM and industry-specific audit/risk areas (timekeeping and floor checks)
  • Organizations have been moving away from a traditional internal audit review of the timekeeping process (e.g., a floor check audit) and instead have opted for a more flexible approach often partnering with compliance to increase the availability of information and data. As a result, internal audit could then perform targeted analytics to perform a true risk-based analysis of the data. The targeted analytics would increase the likelihood of identifying potential non-compliance and/or irregularities with the organizational policies and procedures without interviewing a significant number of employees (e.g., when individuals are entering their time, divisions or departments with higher floor check misses, personnel with late time entries, time sheet corrections/adjustments, etc.)
  • Participants emphasized the importance of leveraging the organization’s ERM programs to build internal audit plans that align closely with organizational goals and objectives and mentioned they were moving away from a rotational-based internal audit plan. Not only should ERM, compliance and internal audit collectively align their activities, but there has also been an increased focus on building relationships across organizations with the goal of enhancing the perception of internal audit as a trusted advisor who can also be a value-add partner. Relationship building in a remote environment has been a positive attribute in this regard, largely due to the added efficiency of focused 15-minute virtual meetings (e.g., Zoom, Teams) that otherwise would have been difficult to schedule, especially for those facing a geographically dispersed workforce
  • Each organization takes a slightly differently approach regarding the integration of ERM within an organization’s internal audit plan. Participants stressed that a flexible internal audit plan was a key component to their success, allowing internal audit to meet shifting priorities driven by the industry’s dynamic compliance requirements and political landscape. As a result, organizations have transitioned from a more traditional, multiyear internal audit plan to a more flexible one- to two-year internal audit strategy. Further, building relationships and increasing the opportunity for ad-hoc stakeholder feedback around the organization’s enterprise risks has enhanced the flexibility to add, remove or re-prioritize areas of need
Reporting to the board or audit committee
  • Participants collectively agreed that they are taking on a “less-is-more model” when it comes to reporting. This approach enables internal audit to communicate findings and results to the board using focused PowerPoint presentations and dashboards with visualizations instead of the traditional narrative-style report. Although the detailed report can be made available at the board’s request, focusing the results or takeaways on the critical components of the findings allows for more thoughtful or robust conversations
  • Additionally, there has been a shift in the focus of the presentations to the board and its committees. Internal audit is becoming less likely to focus reporting solely on quantitative metrics (e.g., the number of audits performed, overall hours or size of the team), and instead has focused on results, recommendations and leading practice analysis (e.g., peer benchmarking)
Data analytics
  • Data analytics continues to be an emerging yet not fully mature resource for internal audit functions. Nearly all the panelists discussed their goals of incorporating data analytics into audit activities at an increasing rate, along with other tools, technologies and automation
  • Participants mentioned Sarbanes-Oxley testing, floor check reviews and segregation of duties (SoD) assessments as a few of the areas where they have achieved efficiencies by using data analytics and automation. However, the biggest challenge in incorporating these tools and technologies has been the availability and accuracy of data

Enhanced focus/emerging focus

Cybersecurity Maturity Model Certification (CMMC)/Information Technology (IT)
  • Most organizations continue to perform penetration testing as a method of evaluating the organization’s internal controls effectiveness/ However, they are still evaluating how internal audit can be incorporated into this process. Some organizations shared that they allow the chief information officer (CIO) or chief information security officer (CISO) to manage those risks, while others are asking if they need to ensure that the work of the CIO and/or CISO is occurring as planned (e.g., audit CIO results). Internal audit can provide value at the conclusion of the penetration testing through the follow-up process to ensure initial observations have been appropriately remediated, and the risk mitigation practices can be maintained going forward, not just for a point-in-time assessment
  • Organizations’ boards and audit committees have an increased focus and interest on cybersecurity-related topics. Some organizations have established regular meetings with their security advisory committee, which serves cross-functionality and reports to the board on critical topics. One emerging question that organizations are asking about is whether they have adequate cyber insurance coverage, and with the increasing cost of coverage, if they have the right amount of coverage for their organization
  • Further, CMMC compliance requirements are still looming over government contractors, and organizations are still working to determine how the recurring testing will be conducted when they are required to comply. Currently, there is a requirement to monitor the health of the organization’s cyber practices. Most organizations are trying to determine if that health assessment will be conducted by internal audit or another function within the business
Environmental, social and governance (ESG)
  • ESG has been a priority focus area for organizations over the past two years due to increased awareness across the industry and the identification of associated risks during their enterprise risk assessments. However, there is limited guidance relating to the role of internal audit in this risk area, and participants have recognized that aspects of ESG are becoming more prevalent within most of the internal audits they execute. The discussion among the CAEs focused on the challenge of how they can consistently address these risks within the scopes of current or future internal audit activities
  • Participants also commented on the lack of specific procedures internal audit has developed and what internal audit can do to provide assurance over risk factors related to ESG at this early stage
Emerging risks
  • One additional area the panelists highlighted was their current focus on emerging risk areas. Boards and audit committees have been increasing their attention on risks outside of the current internal audit plan and/or ERM framework, and they look to internal audit to help identify and evaluate these emerging risk areas. For example, the group discussed areas related to third-party risks, including subcontractors and vendor management

For more information, or to learn how Baker Tilly can help, contact our team.

Cassandra Walsh
Corey Parker
Matt Gilbert
Aerial view of Wisconsin State Capitol
Next up

Handling tax-related identity theft