Disappointed by the PwC State of the Internal Audit Profession 2011
Over the years, PwC has provided visionary insights into not only the current state of internal audit, but where it needs to be going.
The best of these was published in 2007, Internal Audit 2012. The key message was “Internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management”. I believe that message remains the key for internal audit functions today.
If you haven’t read this seminal document, DO IT NOW!
But, PwC has not retained (IMHO) the momentum – or the quality of their guidance. The latest State of the Internal Audit Profession is a pale imitation of the 2012 report. (I can’t say I understand, because PwC has some fine people in leadership roles).
Rather than continue the pressure for a focus on business risk, and what is important to the organization, the major part of this document is about detail: this risk and that risk.
Frankly, the best quotes are from my very good friend, Joel Kramer:
- “Internal audit must concentrate on inherent and residual high risks and remove low risk, low impact audits off our annual plans. Also, we should remove low-risk, low-impact audit steps from our audit programs.”
- “How to audit is simple, the question is ‘what to audit?’ You have to audit risk. There are four levels—risk that is unique to the process, to the organization, to the industry, and to the environment. Whether you are an eight-person or an eighty-person department, every audit you do should reconcile to one of these risks. Every internal auditor needs to know what can bring the organization to its knees.”
Where are the questions about internal audit providing assurance on enterprise-wide risk management? I can’t see them, can you?