Minimize Risk, Maximize Relationships: 5 Audit Department Best Practices

Hologic’s Michael Lewis shares audit department best practices to minimize risk and maximize relationships

As a global developer, manufacturer, and supplier of diagnostic products, medical imaging systems for breast and surgical health, gynecological surgical products, and medical aesthetic systems, Hologic must address countless regulatory, financial, security, and operational risks. Leading that responsibility is Michael Lewis, vice president of internal audit. With nearly three decades of experience and expertise, Lewis has key recommendations on how audit teams can best minimize risk and maximize relationships in all types of companies and industries.

Michael Lewis, VP of Internal Audit, Hologic

1. Use data to direct your focus and avoid bias and preconceived ideas

Hologic’s internal audit department uses a two-dimensional enterprise risk management (ERM) identification process that helps prioritize potential risks and how likely they are to occur. That process was initially based on surveys of senior management but has grown to include external scans. Drawing from sources such as the Transparency International Corruption Perception Index and information from the big four accounting firms and other audit and risk compliance organizations, Lewis can identify a broader range of challenges.

“You don’t want to be limited to what you already know or to what you can access internally,” Lewis says. “It’s important to be aware of what others are seeing and sensitive to hot spots that might otherwise be overlooked. From there, we can compare that to our lines of business and assess where we might have more exposure and rank areas that need the most attention.”

“A change in leadership, a change in the latest headlines, or some other strategic objective will have an impact on the audit department.”

He works with senior management to triage the results and achieve better allocation of resources. By determining, for example, the top areas of concern, the department can deliver more comprehensive and high-quality results that address the most pressing concerns. In addition to this prioritizing process, Lewis and his team do project-specific risk assessments that fall within the identified areas.

In 2017, Hologic’s top risks included cybersecurity, business continuity, and regulatory compliance.

2. Assess risk and adapt to it throughout the year

Many organizations perform annual risk assessments, but Hologic conducts several assessments throughout the year. This ensures the company is focusing on the right areas at the right time. “Businesses reforecast as markets and other factors change. We do the same,” Lewis says. “It’s not uncommon to find that a new project has taken on more value than one we signed on for six or eight months ago. It just makes sense to adapt along with the risks.”

3. Manage and nurture relationships at all levels of the business on an ongoing basis

At Hologic, interactions with colleagues and partners are ongoing. This takes the form of formal, regularly scheduled meetings with senior management, as well as open-door walk-ins for everyone from field managers to the general counsel, CFO, and CEO.

Lewis indicates that such open communication and collaboration helps address what he calls “audit’s identity crisis.” By this, he means the wide range of preconceived notions people have about formal reviews or examinations, whether they be internal or external, ranging from the IRS to OSHA.

“At Hologic, it starts with the chief audit executive and extends to internal audit staff being open and transparent while delivering value-added products that provide meaningful results,” Lewis says. “You develop mutual respect along with the brand of the department.”

One of his strategies is to actively solicit feedback from board members and other senior stakeholders. He makes a point of getting their feedback on presentations to ensure he’s addressed their concerns and does so according to their preferences: Did he speak too long? Did he offer too much or too little information?

Not only does their input ensure alignment with strategic priorities, but Lewis is able to incorporate their individual expertise. “Board members have seen issues and various solutions at other organizations,” he says. “That gives us added insight into how we can monitor and avoid similar challenges.”

Subscribe to Profile Insight newsletter


4. Do extensive research and work collaboratively when preparing for field audits

Audits can be disruptive, but audit departments can mitigate that impact through comprehensive preparation that includes process, owner, and management input. Lewis says everyone is more receptive and cooperative when they understand the process, the required documents, and anticipated schedules. Lewis feels strongly that each step should be transparent, from the opening meeting to the final report, so that everyone involved has clear expectations and accountability. And better cooperation leads to better results.

5. Always be aware of priorities and adapt accordingly

Every environment has its own culture, so Lewis advises that his recommendations are customized for each one. “A change in leadership, a change in the latest headlines, or some other strategic objective will have an impact on the audit department,” he says. “By staying tuned in to evolving priorities, you can be sure that you offer independent, objective assessments, and increase the value and integrity of your efforts.”