Home > Risk > The future of the internal audit profession

The future of the internal audit profession

My good friend, Dan Swanson, asked me to write the introduction to his new book, Raising the Bar, with the topic being the future of the profession.

I would like to share that introduction with you and get your comments.


Whether you are new to internal auditing or an experienced practitioner or academic, there will be something for you in Raising the Bar. Dan Swanson’s collection of insights covers a wide area.

I am pleased to see Dan include some of my work, notably a reference to the State of Internal Auditing that was published in EDPACS in 2009. Probably with that in mind, I am honored that he asked that I contribute my views concerning the future of our profession.

This is indeed a critical time for internal auditing. Fortunately, leadership at the Institute of Internal Auditors (IIA) and among prominent practitioners has recognized the need for change. The 2010 General Audit Management (GAM) and International Conferences saw a number of IIA and other eminent thought leaders confront the needs head on.

My friend Richard Anderson, a major contributor to the risk management profession over the years and a former partner with PricewaterhouseCoopers in the U.K., wondered at the International conference whether internal auditing had become irrelevant. As he pointed out, few if any held internal auditors to blame for any aspect of the great recession. Although there is a widely-held view that corporate governance and risk management practices failed, nobody has said “where were the internal auditors?”

I join in the refrain: “where are the internal auditors?” If we are to be relevant, chief audit executives (CAEs) have to refocus on providing assurance regarding how well management identifies, evaluates, responds, and manages risks – including the controls that keep risk levels within organizational tolerances. That means that:

–          The audit plan has to be designed to address the major risks to the enterprise. The traditional risk assessment process must die a quick death (assessing risk levels based on an audit universe, and then performing audits of the controls designed to address risks to the achievement of objectives for those areas, locations, business units, etc.) A top-down risk assessment process will take its stead. Here the more significant risks to the enterprise are identified and targeted in audit engagements. Rather than focus on risks to objectives at a process, department, or location, audits will focus on risks to the objectives of the organization.

–          Every audit report should include an opinion on the overall management of the risks under review and the adequacy of related controls. I fail to understand how internal auditors believe they provide assurance (required by the IIA Standards) when they don’t provide an opinion (which is not, for some reason, required by the Standards). I also fail to understand how audit committees and top management suffer CAE fools who are reluctant to give an assessment.

–          The audit plan should be designed to provide assurance on the major risks, not just perform audits. In other words, on an annual basis (at least) the chief internal auditor (CAE) will provide a formal opinion to the board and top management that addresses the adequacy of governance, risk management, and related controls. It will be built on the results of audits included in the plan, and the scope of and basis for the overall opinion will be clearly stated. The CAE will deign the audit plan with that in mind. While there is a desire to perform consulting and other engagements that endear internal audit to management (generating tangible cost savings and other results), the primary focus has to be on the work required to provide assurance.

–          The audit plan will be a single, integrated plan based on a single, integrated risk assessment. The only risk is business risk, and there is no such thing as IT risk – only the effect of IT-related failures on business risks. Performing a separate IT risk assessment is wrong. The right approach (in my opinion) is to look at the risks to the objectives of the organization, among which are risks related to failures within IT.

–          We also need to build up the courage to take on the topic of governance. The IIA definition of internal auditing requires that we provide assurance on governance, as well as on risk management and the related internal controls. Far too few include governance processes in their audit plans, except as they relate to the code of conduct. This is playing around the edges instead of taking on the heart of governance, such as the activities of the board and its committees, including the timeliness and quality of information they receive; the organization and staffing of the enterprise; and the process for establishing, communicating, and cascading organizational strategies through the organization – to ensure all managers are working to optimize performance and realize organizational goals. Fortunately, the IIA’s guidance on auditing governance should be available by the time this book is published.

Another good friend who has been outspoken recently is Larry Harrington. The CAE at Raytheon, Larry has been talking up the notion of internal auditors as ‘rock stars’. (He was the kick-off speaker at GAM). At least part of this vision is that we become a louder and more influential driver for change within our organizations.

I am pleased to see CAEs driving risk management into their companies. They are frequently the ones who raise the topic with top management, discuss the need with the board, and explain the need. Often, CAEs are being asked to take on responsibility for risk management – after all, who else within the organization understands it well. We should not be afraid to take this on, whether it is to get it going and then pass it on to a chief risk officer, or to run the program permanently. If we tread carefully, perhaps following the guidance in the IIA UK paper on the role of internal audit in risk management, we can add real value without impairing our objectivity and independence.

One area that CAEs need to focus on and drive change is around the quality, reliability, and timeliness of the information used by management and the board to run the organization. Too many have multiple computer systems that don’t play well together, thousands of spreadsheets, and a variety of data warehouses and business intelligence systems. The information used by management and provided to the board comes from a variety of sources. It needs massaging and consolidation before it can be used. By the time it is presented to management, it is days if not weeks old. It is also historical, looking at the past and not the future. If there are forecasts, they are not risk-adjusted (i.e., adjusted based on the likelihood of various scenarios).

Management is managing by looking into a rear-view mirror. Not only that, but because of the fragmented systems, the rear-view mirror is fractured and so the view of the past is not clear.

Internal audit should recognize this and other inhibitors of optimized performance, and be the rock stars that drive change. When we recognize problems with our systems and data, we should be heard at board and top management levels. We should also be alert and making sure management is paying attention to the possibilities offered by new technology. As Larry says, with urgency, we need to be prepared to take some risks ourselves, loudly advocating the need for change.

Internal auditors should be embracing new technologies themselves, for their own area. Too many are complacent, watching from the sidelines as others – within their own organization – make use of social media for collaboration and risk monitoring, and obtain insight into their operations and performance through business intelligence.

It is time for internal audit functions to commit to change in the tools and methodologies they have embraced for decades. How can CAEs justify standing still when technology has not? Both business intelligence and continuous monitoring/auditing tools have un-dreamed of capabilities for putting data at auditors’ fingertips and monitoring enterprise activities to ensure controls are operating as intended and detect inappropriate activity. Too few internal auditors even know whether their organization owns and uses tools like these (for example, for financial analysis), let alone make full use of them!

Coming back to Richard’s question, you may suggest that people don’t blame internal auditors because they are not seen as major contributors to organizational governance. Certainly, the profession of internal auditing does not have the prestige of our external audit colleagues. While leadership at the IIA is rightly concerned with advocacy for the profession and a place of respect for our Institute, I have to ask whether we deserve that respect. Have we earned it?

At too many organizations, internal audit continues to be a subordinate, middle management operation. I believe there are two interconnected reasons for this:

  1. Boards have not demanded that we step up and fill their assurance void. While we are useful in detecting and investigating fraud, and reporting on controls in important areas, they don’t expect us to provide an overall assessment of governance processes, risk management, and the related controls. If they were to drive, the profession would follow.
  2. Internal audit leaders at most companies have not led the way, educating their boards and showing them that internal audit can fill their assurance void – with formal assessments of governance, risk management, and controls. If more CAEs starting driving and showing through their example what is possible, then boards will come to expect it and demand a higher level of service from all CAEs.

The way forward requires that we:

  1. Step up and take on the challenge of the board’s assurance gap. Provide them with a formal, regular assessment of the condition of governance and risk management processes, and the related controls.
  2. Demonstrate through excellence in performance that we deserve this trust.
  3. Be loud rock stars, encouraging and driving change within our organizations.
  4. Leverage the promise of technology, so we can extend the quality and breadth of our assurance and consulting services without major increases in budget.

Moving the profession forward requires leaders. Dan Swanson is one. His massive volume of work, reflected in this book, helps internal auditors all over the world perform quality audits – and demonstrate the quality and value of our profession.

  1. Matthew Smith
    June 29, 2010 at 4:50 PM

    Overall an excellent and provocative introduction. Two small points:

    – Third bullet after “I join in that refraim” you say, “The CAE will deign the audit plan”, should be design not deign.
    – You appear to enjoy using the term “My good friend” and other variations. Seems a bit self agrandizing. I don’t think it’s necessary and does not add anything to the intro. You are a well-known and respected voice in the profession, you don’t need to do this.

    My comments for what they are worth.

  2. nmarks
    June 29, 2010 at 5:04 PM

    Matthew, thanks for the comments – a good catch on the typo and I take your point on my friends. I am not looking for “reflected glory” and appreciate your pointing out that it reads that way. I am actually blessed and proud that so many people I respect have made time for me and my rants.

  3. James paterson
    June 30, 2010 at 9:42 PM

    You touch upon a central issue for IA – are we actually getting key organisational risks and governance issues on our audit plans? I have a piece in the UK IIA magazine on this issue in March. This does indeed take courage etc. but your article prompts me to reflect that we also have to work on ensuring appropriate NED support for going into more sensitive areas. Note all NEDs are as progressive as others. I wonder how the IIA is engaging more with Director Institutions to highlight the criticality of NED support for IA. This includes being more vocal about getting the best people into IA (A very common issue from CAEs), and Director support for this, and also ensuring performance criteria for CAEs explicitly values “visible challenge” – what guidance should the IIA be issuing for Senior management in this regard?
    Finally – NEDs and CAEs need persuasion that this more challenging role for IA is worth it – this requires excellent CAE stakeholder management and influencing skills and – again – not all CAEs are yet in the “rock star” category in this regard. In my view this goes beyond training courses, we should be doing more to encourage peer to peer CAE coaching, action learning and – if necessary – “supervision” of CAE choices in “real time”. The IIA UK has been kind enough to publish an article of mine in this regard in its June 2010 issue; I hope the US chapter of the IIA can step up this angle with your help and support.
    Best Regards

  4. August 5, 2010 at 4:03 AM

    I would like to get a daily update on recent posts

  5. August 5, 2010 at 4:06 AM

    I would like to get daily update of new post.my number is 0780546836 on http://www.mbo@yahoo.com

  6. June 3, 2011 at 1:29 AM

    hi iam akshay kumar from chandigarh thanks i would like to say that what is internal audit checked by c.a. clint means i want know about audit thanks

  7. June 3, 2011 at 1:29 AM

    hi i am akshay kumar from chandigarh thanks

  8. June 3, 2011 at 1:30 AM

    thanks i am akshay

  9. ISO 9001
    October 19, 2011 at 2:24 AM

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Thank you for sharing this.

    ISO 9001

  1. February 1, 2021 at 7:18 AM
  2. February 1, 2021 at 8:19 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: