The future of the internal audit profession

My good friend, Dan Swanson, asked me to write the introduction to his new book, Raising the Bar, with the topic being the future of the profession.

I would like to share that introduction with you and get your comments.

=================================================================================

Whether you are new to internal auditing or an experienced practitioner or academic, there will be something for you in Raising the Bar. Dan Swanson’s collection of insights covers a wide area.

I am pleased to see Dan include some of my work, notably a reference to the State of Internal Auditing that was published in EDPACS in 2009. Probably with that in mind, I am honored that he asked that I contribute my views concerning the future of our profession.

This is indeed a critical time for internal auditing. Fortunately, leadership at the Institute of Internal Auditors (IIA) and among prominent practitioners has recognized the need for change. The 2010 General Audit Management (GAM) and International Conferences saw a number of IIA and other eminent thought leaders confront the needs head on.

My friend Richard Anderson, a major contributor to the risk management profession over the years and a former partner with PricewaterhouseCoopers in the U.K., wondered at the International conference whether internal auditing had become irrelevant. As he pointed out, few if any held internal auditors to blame for any aspect of the great recession. Although there is a widely-held view that corporate governance and risk management practices failed, nobody has said “where were the internal auditors?”

I join in the refrain: “where are the internal auditors?” If we are to be relevant, chief audit executives (CAEs) have to refocus on providing assurance regarding how well management identifies, evaluates, responds, and manages risks – including the controls that keep risk levels within organizational tolerances. That means that:

–          The audit plan has to be designed to address the major risks to the enterprise. The traditional risk assessment process must die a quick death (assessing risk levels based on an audit universe, and then performing audits of the controls designed to address risks to the achievement of objectives for those areas, locations, business units, etc.) A top-down risk assessment process will take its stead. Here the more significant risks to the enterprise are identified and targeted in audit engagements. Rather than focus on risks to objectives at a process, department, or location, audits will focus on risks to the objectives of the organization.

–          Every audit report should include an opinion on the overall management of the risks under review and the adequacy of related controls. I fail to understand how internal auditors believe they provide assurance (required by the IIA Standards) when they don’t provide an opinion (which is not, for some reason, required by the Standards). I also fail to understand how audit committees and top management suffer CAE fools who are reluctant to give an assessment.

–          The audit plan should be designed to provide assurance on the major risks, not just perform audits. In other words, on an annual basis (at least) the chief internal auditor (CAE) will provide a formal opinion to the board and top management that addresses the adequacy of governance, risk management, and related controls. It will be built on the results of audits included in the plan, and the scope of and basis for the overall opinion will be clearly stated. The CAE will deign the audit plan with that in mind. While there is a desire to perform consulting and other engagements that endear internal audit to management (generating tangible cost savings and other results), the primary focus has to be on the work required to provide assurance.

–          The audit plan will be a single, integrated plan based on a single, integrated risk assessment. The only risk is business risk, and there is no such thing as IT risk – only the effect of IT-related failures on business risks. Performing a separate IT risk assessment is wrong. The right approach (in my opinion) is to look at the risks to the objectives of the organization, among which are risks related to failures within IT.

–          We also need to build up the courage to take on the topic of governance. The IIA definition of internal auditing requires that we provide assurance on governance, as well as on risk management and the related internal controls. Far too few include governance processes in their audit plans, except as they relate to the code of conduct. This is playing around the edges instead of taking on the heart of governance, such as the activities of the board and its committees, including the timeliness and quality of information they receive; the organization and staffing of the enterprise; and the process for establishing, communicating, and cascading organizational strategies through the organization – to ensure all managers are working to optimize performance and realize organizational goals. Fortunately, the IIA’s guidance on auditing governance should be available by the time this book is published.

Another good friend who has been outspoken recently is Larry Harrington. The CAE at Raytheon, Larry has been talking up the notion of internal auditors as ‘rock stars’. (He was the kick-off speaker at GAM). At least part of this vision is that we become a louder and more influential driver for change within our organizations.

I am pleased to see CAEs driving risk management into their companies. They are frequently the ones who raise the topic with top management, discuss the need with the board, and explain the need. Often, CAEs are being asked to take on responsibility for risk management – after all, who else within the organization understands it well. We should not be afraid to take this on, whether it is to get it going and then pass it on to a chief risk officer, or to run the program permanently. If we tread carefully, perhaps following the guidance in the IIA UK paper on the role of internal audit in risk management, we can add real value without impairing our objectivity and independence.

One area that CAEs need to focus on and drive change is around the quality, reliability, and timeliness of the information used by management and the board to run the organization. Too many have multiple computer systems that don’t play well together, thousands of spreadsheets, and a variety of data warehouses and business intelligence systems. The information used by management and provided to the board comes from a variety of sources. It needs massaging and consolidation before it can be used. By the time it is presented to management, it is days if not weeks old. It is also historical, looking at the past and not the future. If there are forecasts, they are not risk-adjusted (i.e., adjusted based on the likelihood of various scenarios).

Management is managing by looking into a rear-view mirror. Not only that, but because of the fragmented systems, the rear-view mirror is fractured and so the view of the past is not clear.

Internal audit should recognize this and other inhibitors of optimized performance, and be the rock stars that drive change. When we recognize problems with our systems and data, we should be heard at board and top management levels. We should also be alert and making sure management is paying attention to the possibilities offered by new technology. As Larry says, with urgency, we need to be prepared to take some risks ourselves, loudly advocating the need for change.

Internal auditors should be embracing new technologies themselves, for their own area. Too many are complacent, watching from the sidelines as others – within their own organization – make use of social media for collaboration and risk monitoring, and obtain insight into their operations and performance through business intelligence.

It is time for internal audit functions to commit to change in the tools and methodologies they have embraced for decades. How can CAEs justify standing still when technology has not? Both business intelligence and continuous monitoring/auditing tools have un-dreamed of capabilities for putting data at auditors’ fingertips and monitoring enterprise activities to ensure controls are operating as intended and detect inappropriate activity. Too few internal auditors even know whether their organization owns and uses tools like these (for example, for financial analysis), let alone make full use of them!

Coming back to Richard’s question, you may suggest that people don’t blame internal auditors because they are not seen as major contributors to organizational governance. Certainly, the profession of internal auditing does not have the prestige of our external audit colleagues. While leadership at the IIA is rightly concerned with advocacy for the profession and a place of respect for our Institute, I have to ask whether we deserve that respect. Have we earned it?

At too many organizations, internal audit continues to be a subordinate, middle management operation. I believe there are two interconnected reasons for this:

1. Boards have not demanded that we step up and fill their assurance void. While we are useful in detecting and investigating fraud, and reporting on controls in important areas, they don’t expect us to provide an overall assessment of governance processes, risk management, and the related controls. If they were to drive, the profession would follow.
2. Internal audit leaders at most companies have not led the way, educating their boards and showing them that internal audit can fill their assurance void – with formal assessments of governance, risk management, and controls. If more CAEs starting driving and showing through their example what is possible, then boards will come to expect it and demand a higher level of service from all CAEs.

The way forward requires that we:

1. Step up and take on the challenge of the board’s assurance gap. Provide them with a formal, regular assessment of the condition of governance and risk management processes, and the related controls.
2. Demonstrate through excellence in performance that we deserve this trust.
3. Be loud rock stars, encouraging and driving change within our organizations.
4. Leverage the promise of technology, so we can extend the quality and breadth of our assurance and consulting services without major increases in budget.

Moving the profession forward requires leaders. Dan Swanson is one. His massive volume of work, reflected in this book, helps internal auditors all over the world perform quality audits – and demonstrate the quality and value of our profession.