Is Internal Audit lacking in leadership skills?
If you read the original version of the article by Tammy Whitehouse just republished in the October issue of ComplianceWeek, you might be tempted to say “yes”. While the title of the October issue is as a question, “Is internal audit lacking” (no link because it is only available to subscribers in print form), the original version was entitled “Studies find internal audit lacking in leadership skills”. Not stated as a question but as a fact.
After a storm of protest by internal audit practitioners that the underlying research by PwC and the IIA had been misrepresented, the Managing Editor of this otherwise excellent publication blogged a response (recommended reading). He acknowledged that many leaders of internal audit functions had excellent leadership skills, and said that he believed (and he thought the studies supported in his belief) that lower level internal auditors had room to improve. Well, all of us have room to improve.
Let’s have a look at the updated piece and see if we agree with the comments. BTW, I find it curious that the only people quoted are consultants and service providers, with the sole exception of Richard Chambers (IIA President and CEO). There are no words of wisdom from any current CAE.
Here are some excerpts:
- “Many internal audit departments are caught in a kind of feedback loop – eager to help steer organizations in a new direction, but struggling to demonstrate their ability to be agents of change”.
- Comment: that is not consistent with my personal experience. More CAEs than not are effective agents of change.
- “Internal auditors are still trying to put down their pencils and lift heads so they can take a broader look at organizational risk”.
- Comment: this picture of an auditor using a pencil, focusing on small stuff, is demeaning and not representative, IMHO, of the state of internal auditing.
- “Internal audit departments need more ‘maverick’ leadership to gain more clout with boards and demonstrate more expertise in identifying and addressing risks.”
- Comment: I agree with Dipak Shah, who said this. While many CAEs are ‘rock stars’, we need more.
- “Internal auditors let their critical thinking skills stagnate while they tackled the mountain of SOX internal control issues”.
- Comment: this is contrary to my observations. Auditors can and do use their gray matter every day.
- “Internal auditors are really losing ground right now in being able to demonstrate their value”.
- Comment: this is my blog so I feel able to say this is nonsense.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I can relate my experience as the Risk Manager of a MNC Insurer and my involvement in implementing the ERM of the company in accordance to ISO 31000. Firstly, the IA claim to have no risk from the department, at least on paper under IA Dept, there is not a single risk being identified whilst all dept have some risks identified. The CEO also agreed with it (his previous position regional IA). Next, the list of controls listed by all the departments, none of them is to be reviewed by the IA, instead only by the Risk Mgt Committee. My conclusion is that IA focus on anything that relates to financial aspect only. Thirdly, IA has low opinion of RM, something which is of no concern to IA.
My next experience as a RM Consultant on an assignment basis, the RM Mgr (ex IA) insist that to identify the risk one must use CSA (control self assessment), anything else like top down approached was not accepted. I guess typically IA is used to risk identification from the staff level hence CSA.
I don’t think highly of IA, they have yet to take up the leadership in Risk, meaning IA should be under RM and all the financial aspects will be under IA, this is leadership.
What I have found and am finding more and more from ongoing discussions with practitioners in both the internal audit and risk management fields is that internal auditors are missing critical skill sets to do their jobs as “rock stars” -the words that you like to use. It is important to for once and fall articulate those specific skills that are missing and then to seek out those organizations that will provide them with the necessary training to do their jobs better.
Risk Management is one of the most critical areas where the skill sets are by and large pitiful
At some point, I would actually suggest that IT Audit is in a hyper-learning condition. More is learned so fast that balance is missing. That missing balance does lead to a perception of wisdom as Missing in Action. The entire notion of “Rock Stars” means that IT Audit is now at a CMM level 1 status, “Plausibly repeatable but accomplished by Heroic Action.”
Some of the ISO standards on Data Lifecycle are in their first 5 years of market penetration. The marriage between HIPAA and ISO 27002/1 as it relates to the actions of an Medical Privacy Officer is still boiling tribal knowledge at this point, CMM level 0: “Just Do It.”
The coordination with Information Security in the creation of Automated technical control self assessment technologies is also boiling tribal knowledge, CMM level 0: “Just Do it.”
Security Operations Units, practically the world over, do not actually have a Lost Revenue per year mapping to a NIST 800-30 Risk Exposure Estimate. When an outfit barely even has an inventory of the data it collects and a server by server flow of where it went, do we even have Data Risk Management?
My job is as a QSA assessor is to collect that Data flow map. By majority, what I see is a under supported Internal Auditor politely thanking God that outside Audit asked for such a document.
All these are samples not of missing professionalism, lack of skill or gray matter. I see Risk Management itself in a state of flux at a CMM level 1 state of affairs if my Corp by Corp sampling is a fair picture.
At least in the PCI DSS area, my reports effectively are giving hard one data to that Standards Body on what data process documents actually exist in the processing of Payment Card Transactions.
While the situation is not a black sky, there are stars in it, it is night and the sun has not risen.
Is Internal Audit lacking in leadership skills?
No, many of us in the profession actually believe in what we do. But, most CFOs and CEOs are terrible leaders. And they set awful examples to their employees and hire their “yes, ma’am” buddies to lead the IA dept.
This is no different on the regulatory organization side. Look at the PCAOB, SEC, and etc. We just had the biggest crises ever in housing, finance, and etc. And yet, we don’t see the key architects in jail. Instead, the PCAOB made a fuss about China.
The tone at the top? We have none. I have heard many stories of friends who tried to do the right things and only got shafted by the management and external auditors who didn’t want to raise any flags.
This is unhealthy. Suffocating.
Please see new post about ComplianceWeek’s latest on the topic of internal audit: http://www.theiia.org/blogs/marks/index.cfm/post/The%20role%20of%20the%20Chief%20Audit%20Executive%20and%20internal%20audit%20in%20general
Is the problem that purely of perception? This feed seems to show that the line doesn’t appear to rate IA highly, it seems to be true vice versa.
Internal audit is not defunct, but my view is it with us being in the digital and integrated age, there will need to be a large change in the way internal audit operates and the skills required thereon. To a large extent working together and understanding both sides of the line/audit fence.
I have reservations that a true career auditor can be an effective CAE, then again it would be the same for a true line man. It needs a mixture of both. I wouldn’t necessarily believe it needs a maverick character.
The analogy I would use it that of music, moving from record to cassette to cd to mp3 to ipod. These formats were not necessarily invented by the music industry but it was brought into use by people having a knowledge of both have resulted in a far better product.
Do we have that many people around who have the necessary vision to bring technology and new thought into a audit / risk management mp3/ipod type situation?
I agree with Adam’s view point and like the analgy to mp3/ipod. A CAE having a good mixture of line skills and audit or process focus would stand a good chance to being a leader as he has the practical knowledge to gain acceptance of his averments and would be able to use the leadership qualities he would have gained from his line position. On the transition from digital stage, there are pletiful opportunties to use different techniques in the various facets of IA and RM and as CAE he needs to constantly upgrade his knowledge (software).
The tone of the audit is always set from the top. Without a clear directive it is a pointless excersise.
Internal audits should be conducted on a regular basis as well as assessing the skills of the auditor and making changes as needed.
Very well written and very informative. Thanks for the good work !
Nicely written neat & Clean post.