EY joins call for internal audit to improve
The Big Four firm of EY has completed their Global Internal Audit Survey for 2013. I suggest looking past their understandable focus on financial reporting and selling their services and the authors’ poor understanding of internal auditing – because there are some important nuggets that can be mined from their document.
Why do I say they have a poor understanding of internal auditing? Just look at the summary on their web site. They cite the #1 driver for change as “External auditors are increasingly relying on the work of Internal Audit”. That should be an incidental rather than primary driver for CAEs. Throughout the report, EY use their perspective of what ‘assurance’ means, and compare ‘assurance’ to ‘advisory’ – a term used by external and not internal auditors. For example, they refer to risk management and operational audit skills as compliance skills! Pure nonsense!
By the way, EY has some excellent individuals who understand internal auditing well. They have been an excellent co-sourcing partner over the years. Unfortunately, those responsible for writing and reviewing this document are not from among their numbers.
So let’s focus on what the information in the report tells us. There are a number of revealing and interesting bits and pieces, including quotes from internal audit leaders.
- “The Internal Audit industry is continuously being challenged to be relevant,” Wong Swee Chin, VP of Group Internal Audit at Cerebos Pacific, Ltd.
- “The profession continues to focus on adding insight to the business owners and executives around how to improve operations to achieve the strategic objectives of the organization. To do that, audit groups have to understand the strategy and the enterprise risk management around that strategy,” James A. Rose, Chief Audit Officer, Humana
- “Only 26% of respondents say they are heavily involved in addressing IT risks. This low response to being involved in addressing IT risks should make Internal Audit pause for thought. The rapid evolution of technology is creating a number of risks as it raises the potential to completely change the business landscape across entire industries. These changes are creating both internal and external challenges: organizations must be prepared to aggressively leverage new technology to remain competitive, while at the same time effectively manage the related risks.”
- The 500 respondents (CAEs and audit committee members) put financial audit and accounting as the most important skill for internal auditors (52.63%), ahead of internal control (39.57%), risk management (32.75%), and an in-depth knowledge of the company’s business and operations (25.93%). This is awful! The priorities are entirely upside down.
- Contrast that with this quote: ““If I look in my previous life, I had people who were largely accounting majors working for me. But the people I have now have no accounting background,” Barb Riker, Chief Audit Officer at Teucrium Trading
- While 23.20% recognized the need to improve knowledge of the company’s business and operations, just 21.64% saw the need to improve risk management skills, 18.13% to address technology, and few identified soft skills as important (although I agree with Richard Chambers and Paul McDonald when they argue in the June edition of the Internal Auditor that soft skills need improvement). EY gets this right when they say “Soft skills are fast becoming as important as purely technical auditing skills. To be a strategic advisor to the business, auditors need to be able to think critically, apply business knowledge and clearly articulate insights to management. Auditors need to adjust training and think outside the box to ensure that it has the right people with the right skills and competencies in its Internal Audit function.”
- “The days when a business auditor wouldn’t need to understand the impact of technology and how to use technology, those are gone. If you are a business auditor, you have to learn IT. If you are an IT auditor, you’ve got to learn to understand the business,” Carolyn D. Saint, Vice President of Internal Audit, 7-Eleven, Inc.
- “I’m constantly encouraging everyone on my staff to think like an executive. … When they raise an audit issue, I ask them to say, so what is the impact of that to the business?” Stephen Arietta, Vice President, Internal Audit, United Online
- EY refers to important sources for CAEs when they need additional resources. In addition to co-sourcing, EY points to hiring interns and the use of guest auditors. I personally like the latter a great deal, as it adds business knowledge and expert insights to the audit team, as well as contributing to the development of rising management stars.
- In their conclusion, EY correctly states “There are several megatrends that are altering the landscape of businesses globally. These trends will drive significant change forcing businesses to constantly transform. Internal Audit must transform in order to stay ahead of these changes and to maximize its impact. In today’s dynamic business environment, Internal Audit functions must satisfy many different stakeholders: audit committee members, senior leadership, operational leaders, external auditors, regulators, etc.
What am I learning from the EY report?
- The study supports the view expressed in PwC’s annual state of the internal audit profession, that internal audit departments are not meeting the needs and expectations of audit committees and top executives
- More needs to be done, not only to improve understanding of the business, risk management, and technology, but to get CAEs to recognize that these are essential skills – and far more important than traditional financial audit and accounting skills
- We have a number of leaders in the profession of internal auditing who ‘get it’. I have quoted some in this review, and others include Paul Sobel, Steve Goepfert, Richard Chambers, Larry Harrington, and more. I think we should be paying a lot of attention to what they have to say – and challenge so-called thought leaders such as the authors of this study
- For example, we should focus more on assurance than suggested – and our assurance should be on whether the organization is able to ensure that the risks that matter to the achievement of objectives and creation of value are at desired levels. Assurance is not limited to compliance (as suggested by EY), but to the ability of the management team and the board to drive and achieve results
I have been very hard on EY, but hope I have brought out points that are important if the internal audit profession is to remain relevant and increase its services to its stakeholders.
Do you share my views and points of learning?