Home > Risk > What is the state of internal auditing? My opinion

What is the state of internal auditing? My opinion

October 28, 2011 Leave a comment Go to comments

With the controversial article in ComplianceWeek (see my post) and the blog by Richard Chambers (he believes CAEs have never been stronger), it is time I provided my personal views on whether internal audit is dying (as implied by one of the service providers in the ComplianceWeek piece).

Overall, internal audit has never been stronger. But that does not mean that it is without significant room for improvement. These comments are probably true in most geographies:

  • Its reputation with executive management and the board remains inconsistent, ranging from ‘providing a competitive advantage’ to ‘inconsequential’ or even ‘it’s there so we can check the box’.
  • CAEs are driving change to an extent we have not seen before. Many are stepping up and taking the personal risks involved in advocating risk management, for example. However, far too many are complacent and happy to continue without making waves.
  • CAEs talk about understanding the expectations of the audit committee. But few are educating and changing those expectations. One of our biggest problems is that boards do not understand what we are capable of doing – sometimes because we are not sure ourselves – or they doubt our abilities.
  • While there is an increase in the number of audit departments providing assurance on risk management practices (especially outside the US), the numbers performing those audits remain low.
  • The same and more holds when it comes to auditing governance processes. While most will audit practices around the code of ethics, very few have accepted the fact that weak board and top management processes represent perhaps the greatest risks to the success of the organization. There remains a reluctance (even a fear) to include the risk of poor governance and oversight in the audit risk assessment and audit planning processes.
  • There is a fairly prevalent opinion  that co-sourcing has not always improved the value of internal auditing services, because while the individuals added to the team have good technical skills they don’t have a great understanding of the business. The co-source provider’s priority is their profit, not the company’s success.
  • I understand that some outsourced internal audit functions have been severely criticized when they have gone through independent quality assurance reviews. While the service providers quoted in ComplianceWeek were happy to criticize in-house internal audit departments, they are anything but perfect themselves.
  • We are very slow to embrace the opportunities of technology. We are more risk averse, focusing on the risk presented by technologies than finding ways to use them to improve our practices.
Let’s “get real” for a moment. Any company, department, or individual always has room for growth. None of us is perfect and it is easy to point to defects and weaknesses. We do that ourselves, as auditors, and are often accused of failing to provide a fair and balanced perspective. The ComplianceWeek piece was not balanced nor fair. It failed to recognize the progress that has been made, and the excellent quality of many internal audit functions and individuals. That does not mean we should reject it out of hand.
While we should be pleased (as Richard Chambers is) with the progress of internal auditing, we still have a long way to go to perform consistently at the level each of us is capable.
The PwC, IIA, and other studies (such as by Protiviti) have identified some of the areas we need to improve most. Fine.
But, the one area we need to think about most is this, IMHO.
The world is being re-shaped by changes in technology. The Australian newspaper talked this week about 2011 being a year of dramatic change in technology, the most revolutionary year ever. Change is not happening in decades, but in single years. Just think, we have:
  • iPads and other mobile devices (more lines of code are being written for mobile than any other platform)
  • 10.9 billion mobile apps were downloaded in 2010
  • SAP and other enterprise application companies are now providing mobile users with the ability to run their business from the palm of their hand
  • Cloud is reshaping IT service delivery
  • In-memory computing and ‘big data’ are massive technology shifts (more in future posts)
Change is happening at an explosive pace. Are we providing internal audit services and assurance at the speed of business? Or are we still catching up with 2001? Can we still afford to deliver assurance 3 months after management or the board asks for our assessment?
I welcome your comments and views.
About these ads
  1. Timour Baiazitov
    October 29, 2011 at 2:42 AM

    Thanks, Norman,

    This should lead to a nice discussion. My opinion on the parts which got my attention in your post:

    • “Its reputation with executive management and the board remains inconsistent, ranging from ‘providing a competitive advantage’ to ‘inconsequential’ or even ‘it’s there so we can check the box’.”

    That’s true and sometimes even in case of management and the board of the same company; in my case when 3 CEOs changed over the 3 year timeframe.

    • “One of our biggest problems is that boards do not understand what we are capable of doing – sometimes because we are not sure ourselves – or they doubt our abilities.”
    True again, even though they do understand they sometimes don’t require all the support we can provide – first things first for all the boards, and if there is no stable financial performance – that is the priority, then statements; it might never come down to operations and risks at board level (all risks happened). And it could definitely doubt our abilities if not in our mind, then even worse – in management perceptions.
    • “The same and more holds when it comes to auditing governance processes. While most will audit practices around the code of ethics, very few have accepted the fact that weak board and top management processes represent perhaps the greatest risks to the success of the organization. There remains a reluctance (even a fear) to include the risk of poor governance and oversight in the audit risk assessment and audit planning processes.”

    Well, we accepted such fact – as a fact actually, not a risk. We included it as strategic risk in risk register. Board currently works on improvements of both board and executive management processes. Well, how would you deal with the “we know it all” statements by the CEO and Board Chair simultaneously?

    • “Change is happening at an explosive pace. Are we providing internal audit services and assurance at the speed of business? Or are we still catching up with 2001? Can we still afford to deliver assurance 3 months after management or the board asks for our assessment?”

    That’s the “fine line”. Do we intend to intrude in the decision making? Do we even have adequate information on the business changes? When we still sometimes struggling with how to ensure timely and adequate audit findings reaction and actions by management?
    No we don’t provide assurance at the speed of business if they didn’t call us for advice. And we are not catching up. We aim to ensure there are adequate mechanisms for business change and transformation at the speed required, and some media to record and store info on the actions taken for the learning process (not for autobiographies or audit trails as some of my peers like to say).

  2. Timour Baiazitov
    October 29, 2011 at 2:48 AM

    Thanks, Norman,

    This should lead to a nice discussion. My opinion on the parts which got my attention in your post:

    • “Its reputation with executive management and the board remains inconsistent, ranging from ‘providing a competitive advantage’ to ‘inconsequential’ or even ‘it’s there so we can check the box’.”

    That’s true and sometimes even in case of management and the board of the same company; in my case when 3 CEOs changed over the 3 year timeframe.

    • “One of our biggest problems is that boards do not understand what we are capable of doing – sometimes because we are not sure ourselves – or they doubt our abilities.”

    True again, even though they do understand they sometimes don’t require all the support we can provide – first things first for all the boards, and if there is no stable financial performance – that is the priority, then statements; it might never come down to operations and risks at board level (all risks happened). And it could definitely doubt our abilities if not in our mind, then even worse – in management perceptions.

    • “The same and more holds when it comes to auditing governance processes. While most will audit practices around the code of ethics, very few have accepted the fact that weak board and top management processes represent perhaps the greatest risks to the success of the organization. There remains a reluctance (even a fear) to include the risk of poor governance and oversight in the audit risk assessment and audit planning processes.”

    Well, we accepted such fact – as a fact actually, not a risk. We included it as strategic risk in risk register. Board currently works on improvements of both board and executive management processes. Well, how would you deal with the “we know it all” statements by the CEO and Board Chair simultaneously?

    • “Change is happening at an explosive pace. Are we providing internal audit services and assurance at the speed of business? Or are we still catching up with 2001? Can we still afford to deliver assurance 3 months after management or the board asks for our assessment?”

    That’s the “fine line”. Do we intend to intrude in the decision making? Do we even have adequate information on the business changes? When we still sometimes struggling with how to ensure timely and adequate audit findings reaction and actions by management?
    No we don’t provide assurance at the speed of business if they didn’t call us for advice. And we are not catching up. We aim to ensure there are adequate mechanisms for business change and transformation at the speed required, and some media to record and store info on the actions taken for the learning process (not for autobiographies or audit trails as some of my peers like to say).

    • November 1, 2011 at 10:03 AM

      Yes, you do need to intrude. Risk Management has a bottom line effect. You are a partner of the business in that subject. If a car has not anti-theft device, it is unrealistic and defective. If a Pinto has an explosive gas tank, Quality Assurance must insist on effecting the business. Just how vital to the business is Information Assurance? Can a gap kill people? In the medical device area, yes it can. Can fraud destroy a business? you already know the answer is yes.

      Do you rule the business? No. Are you a contributor to the bottom line? Yes. All cost effective quality assurance contributes to the bottom line. Quality that does not, is not worthy of its hire and should be shed. Do not even bother to pretend to independence on this point.

  3. rao umair saeed
    October 29, 2011 at 5:35 AM

    1st of all, it’s a good peace of writing.

    Frankly, CAE’s are scared; even of loosing their job. I do not find Audit Committee in succeeding to minimize this risk. Another aspect is that, CAE’s try to control their junior’s views though auditing profession allows individual auditor’s access to the board and audit committee. Things that are wrong for the organization become right when these are extended to audit bosses atleast (middle & lower audit cadres do not matter)

    Audit chief is too risk averse; audit finding if proved wrong latter may cost auditor’s reputation. I wonder what this fear is all about? How can work of someone can always be error free?

    As far as the Audit Committee is concerned, I feel they are low paid for their services at such a prime level. Frequent in & out of persons from the committee is another concerning issue. Meeting with committee is too short in which lot of time is consumed in discussing status of previous audit findings. Audit committee do not put enough pressure on management to enforce them to comply.

    Technology is demanding from auditors, but our bosses are in a comfort zone & do not want to challenge in need of time. This is just unbearable.

    To me, all the bosses do not want to confront each other & have fear of unnecessary risk i.e. tone at the top is dwindling. I can safely bet that an absolute ethical internal auditor will find him/ herself in flux.

    Still I strongly believe that internal audit is improving and gaining strength. Indeed all this is at the risk of audit head’s personal (calculated) risk. Definitely we need to do more like the scientist are doing every moment.

    In my view, auditor should focus on operational & technical perspective & not just numbers. Understanding of the internal processes & comparison with the best in class is imperative.
    Education of personnel in other fields is also needed because they find audit work to be humiliating them.

    • November 1, 2011 at 9:53 AM

      Audit is not a path for the faint of heart. a CAE that is scared of his or her fate needs to change careers for the benefit of themselves, their company and the stake holders that vitally trust in the quality of their work.

      The leading reason that Software Developers believe their manager would require Security Coding practices is that Compliance made them do it. If Audit cannot cause compliance at this point, then that kind of audit is a direct contributing cause to technical vulnerability and consequential information breaches.

  4. October 29, 2011 at 7:09 AM

    Norman:

    I tip my hat to you for the balanced and candid coverage in this piece. All too often internal audit has not taken an objective approach in looking at its own performance in spite of claiming it is a core skill of the profession.. This has been compounded by internal audit leaders that want to err on the side of half full in their coverage without a candid and objective examination of half full. Postiive feedback is no longer helpful if it distorts the true risk status. This needs to change if the profession is to realize its potential.

    The internal audit profession needs far more articles, presentations and even full conferences on the theme in your post above. Please do something similar on your IIA blog unless you think it won’t be welcome by the IIA and could endanger your role as an IIA blogger. You have made many tremendous contributions to the profession and tackling the “elephant in the room” is a route that has significant risks but one that you have made huge contributions..

    30 years ago my boss wouldn’t allow internal auditors in his department to join the IIA on the basis that it was “:a feel good club”. Feeling good about oneself is important but not to the detriment of being respected and relevant to all key customers and stakeholders.

  5. Deb
    October 29, 2011 at 10:18 PM

    Wow! Reading this post made me feel I was reading my own story – 90%! This is absolutely the ‘big picture’ route of analysis we need, rather than prioritize getting into micro discussions on the difference between risk appetite and risk tolerance (well, no doubt that is important too). Would look forward to more thought provoking discussions on the themes in this.

  6. Michael Corcoran
    October 30, 2011 at 11:49 AM

    Norman, it is line & senior management’s responsibility to provide shareholders with assurance that the use of technology will create and preserve value. Internal audit can advise management on IT framework design and implementation and provide a second level of assurance that management’s plans were carried out as intended and operating effectively to create additional value and safeguard existing business value.

  7. Robin Hayes
    October 30, 2011 at 9:34 PM

    Having seen & heard Norman in full flow at IIA-Melbourne meeting, “you get” the urgency at which CAE will have to adopt to change (specifically IT). Like to hear more on:
    – IIA as a platform to centralise and co-ordinate the required changes in the future.
    – Should IA be purchasing their own apps to get the job done?
    – What apps are being developed for/by auditors?

    • November 1, 2011 at 9:31 AM

      Try talking to your InfoSec team. These people are furiously creating technical controls to help you audit technology systems. Put your needs on their table and let them HELP you.

      • November 1, 2011 at 9:37 AM

        Consider the Integrated Technology Risk Platforms being devised, bought or cobbled together, company after company across the planet at this point.

        With in the next year, a whole wave of platforms that can map organizational Importance to technical Risk metrics and potentially to Activity Based Cost Models of Operational Risk are on-line, coming on-line or begin devised as we speak.

        If you mapped the right flows of Data through the business cycle you audit, that view could be included as well. Then, Audit would join the race for genuine IA instead of being late… again.

  8. November 1, 2011 at 9:29 AM

    But, Information Security warned Audit about these risks. This is not technical surprise, it is organizational surprise. The classic response from Internal Audit was, “We do not need to address this until the business requires it.” Audit shames itself by hiding behind the pace of technical change. Face the same music you deliver to others. You have a gap.

  9. Norman Marks
    November 1, 2011 at 11:21 AM
  10. Timour Baiazitov
    November 1, 2011 at 12:39 PM

    Don Turnblade (@arctific) :Yes, you do need to intrude. Risk Management has a bottom line effect. You are a partner of the business in that subject. If a car has not anti-theft device, it is unrealistic and defective. If a Pinto has an explosive gas tank, Quality Assurance must insist on effecting the business. Just how vital to the business is Information Assurance? Can a gap kill people? In the medical device area, yes it can. Can fraud destroy a business? you already know the answer is yes.
    Do you rule the business? No. Are you a contributor to the bottom line? Yes. All cost effective quality assurance contributes to the bottom line. Quality that does not, is not worthy of its hire and should be shed. Do not even bother to pretend to independence on this point.

    you mixed it all …
    yes risk management might be a part of decision; quality people probably should be a part (don’t mix quality control and quality assurance though); internal audit must not directly affect decisions in organization – cases of unacceptable risks should be escalated to appropriate level.

  11. Andrew Dyson
    November 15, 2011 at 11:53 AM

    Internal audit is moving into territory that some find uncomfortable or challenging. Providing assurance and highlighting the risks of tampering with the unseen heroes and vital parts of any organisation rather than making its mark via lengthy reporting and recommendations is part of its current evoluton. In taking this action it is challenging the impact of changes.

    The synergy between this evolving role and the expectations of the Audit Committee is something that we are all adjusting to and seeking to address.

  12. Lizzie
    November 23, 2011 at 8:15 AM

    I think your right in some aspects,personal risk assessment is a key element of an audit but it is secondary to the effect of decision making. There will always be a risk with an evolving industry but it is something that we will have to tackle when the time comes.

  13. December 31, 2013 at 11:08 AM

    I agree with your all the points though I have not read the complianceweek article.

    In my view, only auditors are not responsible for state of confusion, its primarly becasue even our stakeholders are not clear what they want from us.

    There are couple of stakeholders who still has old picture of auditors in their mind and don’t want auditors to talk about strategy since its management decision. Some stakeholders feel that we are fraud detectors, some feel we shld check compliance only and design of control is management call

    One closing thought company always want an over smart CEO, COO but do they want over smart auditors. I doubt

    Regards,
    Kushal
    Internalauditexpert.in

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,249 other followers

%d bloggers like this: