Naohiro Mouri is Executive Vice President and Chief Auditor of AIG. He joined AIG in 2015, and has some 27 years of experience as an auditor. In 2019, he completed a 14-month volunteer post as Chairman of the Institute of Internal Auditors. Mouri-san regularly lectures on internal audit, and has co-authored a book on internal auditing for financial institutions, which is available in both Japanese and Chinese.
May is Internal Audit Awareness Month, an event that promotes and celebrates the value that internal auditing brings to organizations. As AIG takes part in participating in this event, Mouri-san discussed with Knowledge & Insights his views on the special role internal audit plays within corporations, how the nature of the audit function is changing and why someone would want to pursue internal audit as a profession. The answers may surprise you.
What role does an Internal Audit Group play at a large corporation?
Over the course of my career I have seen the role of an internal audit group evolve from one where colleagues view you as a ‘watchdog’ function, to becoming a trusted advisor and partner within the organization. There are two things that an Internal Audit Group does. First, we protect the organization by providing objective assurance, advice and insight through a variety of audit activities. The second thing, which is equally important, is that we help business lines establish a very strong and robust set of internal controls. If a company has better controls, they can serve clients more efficiently, as well as reduce costs.
Even though internal audit builds enormous organizational value, people often look at it as some kind of police, or even as an adversarial entity. What can be done to counteract that misperception?
We’re not the police. (laughs) It’s about getting to know us, and us getting to know our colleagues within AIG’s businesses and functional areas. Frequent communication is very important for an Internal Audit Group. A common misperception is that we just look at books and records and report issues. That’s not what we do. The majority of the time, we analyze data which helps us test that controls are operating effectively. If the control is not operating effectively, it is our job to report that to management and the Audit Committee of the Board. By doing so, we are helping the company and protecting enterprise value.
I do think there are a number of approaches that can help auditors better brand themselves as helpful partners. One example that I’ve seen work well is when a business stakeholder proactively tells the auditor that a control is currently not working properly. Our audit teams do take that proactive approach into consideration when determining their view of the overall control environment they are reviewing. This helps instill and promote a risk culture where employees are encouraged to raise risk and control issues, which in turn helps internal audit and the company ensure its controls are operating properly.
What is your vision for how Internal Audit Groups operate, and what are some of the biggest objectives you see as being critical toward optimizing internal audit within corporations?
We have to start optimizing and automating processes now. Large companies have vast amounts of data related to transactions, customers, financials, etc. Thanks to new technology, we can use that data to enhance audit testing whereby full populations can be evaluated, providing greater assurance to our stakeholders.
For example, what auditors typically do is look at a population of 10,000 transactions and test a sample of 25-50. They then extrapolate the results to the entire population to formulate their conclusions. Today, with available technologies we can look at the entire 10,000 transactions, which is much better and provides greater assurance to management and the Board.
These technologies are with us now, and they are affordable, so why not use them? If we have clean data, then we can build an algorithm to test it all the time. Auditors typically work backwards from a point in time. Let’s say in order to test the control, you look at historic data from the last month end, going back three years. Now, if we are able to actually look at the same data, real time, we could potentially predict what could happen in the future because we can see the trends and anomalies today. That’s where we want to go. This will require auditors to have different skill sets and we have to develop and train our teams now.
As you look back at your chairmanship of the Institute of Internal Auditors (IIA), what did you learn?
I learned so much from my chairmanship and met so many people performing internal audit around the world. I visited 47 cities in 14 months, and for half of those I visited AIG offices. The IIA has over 20,000 members in over 90 countries, so the energy and the enthusiasm coming from the membership was just tremendous.
Your role as chairman put you in a unique position over the entire internal audit discipline. What trends did you see?
Clearly, the fourth industrial revolution is here with Artificial Intelligence, the Internet of Things, Blockchain, and so on. Moving into a digital world is affecting Internal Auditors. Internal Auditors must look at how those technologies are being used. There are other technologies, like voice recognition, that could change how an internal auditor documents and shares the results of their work, and how they interact with stakeholders. Working outside of the box and changing the mindset of what we can do is the big trend in internal audit today, and we are trying to be at the forefront of leveraging these tools.
How are you seeing the COVID-19 pandemic impact the Internal Audit profession?
Over the past few months, business communities in U.S. and around the world had to quickly react to this humanitarian crisis by limiting travel, working-from-home and relying on virtual communications to connect with stakeholders on critical needs. I also saw Internal Audit professionals reacting to the heightened risks presented by this pandemic by increasing criticality of data and stakeholder availability and by identifying critical Key Performance Indicators and Key Risk Indicators. I think our industry needs to re-evaluate “point in time” auditing, as it is not relevant to the fluid and evolving COVID-19 environment. It will have to build automated platforms to test controls in real- or near-time. Internal Auditors will also need to be equipped with remote data analytics capabilities to test the full population of controls instead of sample-base. This will provide greater assurance to stakeholders on the state of their critical controls. We are in the “new normal” for the Internal Audit industry, and Internal Auditors will need to adapt using agile techniques.
You are well known as an enthusiastic advocate for internal audit in general. What is it about the discipline that you like so much?
Being a chief auditor allows me to see the entire organization. This gives me the ability to learn anything and everything and creates an opportunity for Internal Audit to help the organization. It is a very different experience vs. just working for one business line. Auditors have the ability to see across the organization and identify themes and trends, both good and bad, but most important we learn and share those views. It goes back to how we add value to the company. Better service to the stakeholders, better ways of working for the employees.
Finally, as auditors we are uniquely positioned to learn something new every day. I’ve been in audit for 27 years and I’m still learning. But it’s exciting to come to the office every morning and say, “What can I learn today?”
If your children said to you that they wanted to become a chief auditor when they grew up, what would you tell them?
I would tell my kids that if they wanted to do this, you have to be really open-minded. But if you like to continue to learn, and if you like to help people, then this is the best job that you can get.