Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.
In this episode, Richard sits down with Russ Charlton, Chief Audit Executive of Advance, to discuss the evolving role of internal audit in driving organizational change, including:
- How rebranding internal audit as “risk advisory” shifts focus from traditional assurance to proactive value creation and strategic business partnership.
- The critical role of building trust with leadership to successfully navigate potential conflicts when internal audit owns both assurance and enterprise risk management functions.
- Why embracing artificial intelligence is essential for modern auditors, not only to enhance capabilities but to remain relevant in an increasingly automated profession.
Watch the full conversation, and read the can’t-miss highlights below.
Redefining Internal Audit as a Value Driver
Richard Chambers: In my book, Agents of Change, I talk about internal auditors needing to embrace change in this era of what I call ‘permacrisis’ to help derive value in their organizations. I define agents of change as those internal auditors who are catalysts for transformational ideas. What’s your sense of that as a role for internal audit?
Russ Charlton: I absolutely agree. In fact, at Advance, we’re not referred to as “internal audit.” We’re referred to as “risk advisory.” The idea is to have a heavy mix of advisory work, with a little bit of assurance thrown in. We’re there to help the company succeed. For example, if it’s a system implementation, we say, “Let us come in up front. We’d rather give you our advice now rather than come back later and audit and tell you the things maybe that you didn’t do so well.” Clearly, we want to help the companies change and grow. And because some of our portfolio companies are not as mature as others, we can really add value because we bring a wealth of experience across our risk advisory organization.
Leveraging ERM to Enhance Internal Audit’s Value
Richard Chambers: How can organizations ensure that their internal audit function is identifying and mitigating the risks that can swiftly undermine the company’s ability to achieve its objectives, particularly in this very uncertain period?
Russ Charlton: In my opinion, having internal audit very closely linked to ERM or actually being an owner of ERM has been a great way of doing that. I think by having auditors involved with a company-wide risk assessment allows them to understand the risk beyond just whether or not a control was working in the financial area, but the broader risk of the organization.
When I came on board at Time Inc., the first thing the audit committee asked me was, “What’s going on with ERM here?” And I said, “We don’t have ERM.” They said, “We’d like to have ERM.” So I volunteered to start it and it was incubated out of my group. The same thing happened when I went to WeWork. There was no internal audit. I went there to start it, in preparation to go public, and I brought in ERM and internal audit.
While we may not audit every area of a company, we do speak to the heads of every one of those departments across all those companies at least once a year to talk about risk. And that makes my auditors much more aware of what’s going on in the business.
Building Trust to Navigate Potential Conflicts
Richard Chambers: How have you navigated any potential conflicts or perceptions that you don’t have the objectivity when it comes to risk, especially when you’re both Head of Internal Audit and responsible for risk management?
Russ Charlton: It just occurred to me, I thought about it as you were saying, that it is trust. And I was thinking back to one of your other books, Trusted Advisors. The trust that an auditor needs to build with the audit committee — particularly the chair — and with the CFO and other C-suite management, and other members of management.
When I went in and said, “Hey, I think I can do ERM and audit. If you guys have problems with that, here’s how we can set it up to make sure that we don’t run afoul of any sort of conflict.” They’re like, “Russ, we trust you. We know that you’re going to do the right thing.”
So I think as a Chief Auditor, building that trust, having those relationships with your auditees and with your C-suite, is the most important thing. But then just be honest with yourself and realize, “Hey, I’m not managing risk. I am helping facilitate a risk management function to identify, assess, and mitigate risk. The business has to manage it and mitigate it — but we help.”
Embracing AI: Opportunities and Challenges
Richard Chambers: Any insights on artificial intelligence from the early going here as a Chief Audit Executive, in terms of either risk that it might present to the company, or how maybe internal audit’s using it?
Russ Charlton: I see AI as both a risk and an opportunity in cyber. I think it’s almost like an arms race. The bad guys are going to be using AI to attack, and we’re going to be using AI to defend. In our media company, we’re using AI in various ways, whether that’s helping to write articles for newspapers and magazines. We have to have journalistic integrity and guidelines around the work we do with AI. All the things that you’re hearing about: making sure AI is free from bias, and it’s used in the right way, keeping data safe.
As an auditor, I’m on a task force with our Chief Compliance Officer. We are looking across the business to decide where the risks are with AI, what guidelines we need to put out there, and how we can stay ahead of this for both back-office type things and on the front side of our businesses.
I see AI as playing a role in both my ERM, my risk, and my cyber world for many years to come.
Richard Chambers: I get asked a lot, “Do I think AI is going to replace internal auditors?” My answer to that usually is this: I don’t think AI will replace internal auditors, but I do think internal auditors who don’t use AI and don’t understand it are at a greater risk of being replaced. How do you feel about that?
Russ Charlton: I completely agree. I think it’s a tool that needs to be used. I think if an internal auditor never learned how to use a spreadsheet, they would’ve been replaced 30 years ago, right? Absolutely, AI is a tool that must be used. It’s a new skill set that I think will make auditing very interesting. Hopefully, it can take away some of the more menial tasks, and we can use AI for that, allowing auditors to do even more interesting and meaty things.
Fostering Creativity and Curiosity in Modern Audit Teams
Richard Chambers: When I talk about the skills and attributes it takes to be an agent of change, we discuss having business acumen, being relationship builders in the organization, the importance of being strategic, and the importance of being innovative. Are there other things that you think a change agent in internal audit ought to have in their toolkit to be able to get out there and effectively help the organization change?
Russ Charlton: I think a certain level of creativity. And whenever you mention creative and accountants together, that kind of has this bad connotation. I don’t mean being a creative accountant. But I mean having a creative mindset, wanting to go out and think of new and different ways to do things, and having just a natural curiosity. I think that’s what really helps an auditor if they’re really interested in the business and want to learn more about it. And I think that puts them in a position to be able to help. Without that, auditors won’t progress.
Check out more audit leader interviews with Richard Chambers on our Agents of Change video series channel.