What is the state of internal auditing? My opinion
With the controversial article in ComplianceWeek (see my post) and the blog by Richard Chambers (he believes CAEs have never been stronger), it is time I provided my personal views on whether internal audit is dying (as implied by one of the service providers in the ComplianceWeek piece).
Overall, internal audit has never been stronger. But that does not mean that it is without significant room for improvement. These comments are probably true in most geographies:
- Its reputation with executive management and the board remains inconsistent, ranging from ‘providing a competitive advantage’ to ‘inconsequential’ or even ‘it’s there so we can check the box’.
- CAEs are driving change to an extent we have not seen before. Many are stepping up and taking the personal risks involved in advocating risk management, for example. However, far too many are complacent and happy to continue without making waves.
- CAEs talk about understanding the expectations of the audit committee. But few are educating and changing those expectations. One of our biggest problems is that boards do not understand what we are capable of doing – sometimes because we are not sure ourselves – or they doubt our abilities.
- While there is an increase in the number of audit departments providing assurance on risk management practices (especially outside the US), the numbers performing those audits remain low.
- The same and more holds when it comes to auditing governance processes. While most will audit practices around the code of ethics, very few have accepted the fact that weak board and top management processes represent perhaps the greatest risks to the success of the organization. There remains a reluctance (even a fear) to include the risk of poor governance and oversight in the audit risk assessment and audit planning processes.
- There is a fairly prevalent opinion that co-sourcing has not always improved the value of internal auditing services, because while the individuals added to the team have good technical skills they don’t have a great understanding of the business. The co-source provider’s priority is their profit, not the company’s success.
- I understand that some outsourced internal audit functions have been severely criticized when they have gone through independent quality assurance reviews. While the service providers quoted in ComplianceWeek were happy to criticize in-house internal audit departments, they are anything but perfect themselves.
- We are very slow to embrace the opportunities of technology. We are more risk averse, focusing on the risk presented by technologies than finding ways to use them to improve our practices.
- iPads and other mobile devices (more lines of code are being written for mobile than any other platform)
- 10.9 billion mobile apps were downloaded in 2010
- SAP and other enterprise application companies are now providing mobile users with the ability to run their business from the palm of their hand
- Cloud is reshaping IT service delivery
- In-memory computing and ‘big data’ are massive technology shifts (more in future posts)