Home > Risk > EY joins call for internal audit to improve

EY joins call for internal audit to improve

The Big Four firm of EY has completed their Global Internal Audit Survey for 2013. I suggest looking past their understandable focus on financial reporting and selling their services and the authors’ poor understanding of internal auditing – because there are some important nuggets that can be mined from their document.

Why do I say they have a poor understanding of internal auditing? Just look at the summary on their web site. They cite the #1 driver for change as “External auditors are increasingly relying on the work of Internal Audit”. That should be an incidental rather than primary driver for CAEs. Throughout the report, EY use their perspective of what ‘assurance’ means, and compare ‘assurance’ to ‘advisory’ – a term used by external and not internal auditors. For example, they refer to risk management and operational audit skills as compliance skills! Pure nonsense!

By the way, EY has some excellent individuals who understand internal auditing well. They have been an excellent co-sourcing partner over the years. Unfortunately, those responsible for writing and reviewing this document are not from among their numbers.

So let’s focus on what the information in the report tells us. There are a number of revealing and interesting bits and pieces, including quotes from internal audit leaders.

  • “The Internal Audit industry is continuously being challenged to be relevant,” Wong Swee Chin, VP of Group Internal Audit at Cerebos Pacific, Ltd.
  • “The profession continues to focus on adding insight to the business owners and executives around how to improve operations to achieve the strategic objectives of the organization. To do that, audit groups have to understand the strategy and the enterprise risk management around that strategy,” James A. Rose, Chief Audit Officer, Humana
  • “Only 26% of respondents say they are heavily involved in addressing IT risks. This low response to being involved in addressing IT risks should make Internal Audit pause for thought. The rapid evolution of technology is creating a number of risks as it raises the potential to completely change the business landscape across entire industries. These changes are creating both internal and external challenges: organizations must be prepared to aggressively leverage new technology to remain competitive, while at the same time effectively manage the related risks.”
  • The 500 respondents (CAEs and audit committee members) put financial audit and accounting as the most important skill for internal auditors (52.63%), ahead of internal control (39.57%), risk management (32.75%), and an in-depth knowledge of the company’s business and operations (25.93%). This is awful! The priorities are entirely upside down.
  • Contrast that with this quote: ““If I look in my previous life, I had people who were largely accounting majors working for me. But the people I have now have no accounting background,” Barb Riker, Chief Audit Officer at Teucrium Trading
  • While 23.20% recognized the need to improve knowledge of the company’s business and operations, just 21.64% saw the need to improve risk management skills, 18.13% to address technology, and few identified soft skills as important (although I agree with Richard Chambers and Paul McDonald when they argue in the June edition of the Internal Auditor that soft skills need improvement). EY gets this right when they say “Soft skills are fast becoming as important as purely technical auditing skills. To be a strategic advisor to the business, auditors need to be able to think critically, apply business knowledge and clearly articulate insights to management. Auditors need to adjust training and think outside the box to ensure that it has the right people with the right skills and competencies in its Internal Audit function.”
  • “The days when a business auditor wouldn’t need to understand the impact of technology and how to use technology, those are gone. If you are a business auditor, you have to learn IT. If you are an IT auditor, you’ve got to learn to understand the business,” Carolyn D. Saint, Vice President of Internal Audit, 7-Eleven, Inc.
  • “I’m constantly encouraging everyone on my staff to think like an executive. … When they raise an audit issue, I ask them to say, so what is the impact of that to the business?” Stephen Arietta, Vice President, Internal Audit, United Online
  • EY refers to important sources for CAEs when they need additional resources. In addition to co-sourcing, EY points to hiring interns and the use of guest auditors. I personally like the latter a great deal, as it adds business knowledge and expert insights to the audit team, as well as contributing to the development of rising management stars.
  • In their conclusion, EY correctly states “There are several megatrends that are altering the landscape of businesses globally. These trends will drive significant change forcing businesses to constantly transform. Internal Audit must transform in order to stay ahead of these changes and to maximize its impact. In today’s dynamic business environment, Internal Audit functions must satisfy many different stakeholders: audit committee members, senior leadership, operational leaders, external auditors, regulators, etc.

What am I learning from the EY report?

  1. The study supports the view expressed in PwC’s annual state of the internal audit profession, that internal audit departments are not meeting the needs and expectations of audit committees and top executives
  2. More needs to be done, not only to improve understanding of the business, risk management, and technology, but to get CAEs to recognize that these are essential skills – and far more important than traditional financial audit and accounting skills
  3. We have a number of leaders in the profession of internal auditing who ‘get it’. I have quoted some in this review, and others include Paul Sobel, Steve Goepfert, Richard Chambers, Larry Harrington, and more. I think we should be paying a lot of attention to what they have to say – and challenge so-called thought leaders such as the authors of this study
  4. For example, we should focus more on assurance than suggested – and our assurance should be on whether the organization is able to ensure that the risks that matter to the achievement of objectives and creation of value are at desired levels. Assurance is not limited to compliance (as suggested by EY), but to the ability of the management team and the board to drive and achieve results

I have been very hard on EY, but hope I have brought out points that are important if the internal audit profession is to remain relevant and increase its services to its stakeholders.

Do you share my views and points of learning?

  1. July 21, 2013 at 4:29 AM

    Norman – Spot on here. How depressing is it that big four external auditors still believe they have the monopoly view and arbitration over what makes good internal audit. Similarly they still classify internal audit as being good on the basis of how helpful it is to external audit.

    On the lessons to be learned – yes spot on too. IT yes – the UK CIIA’s ITAC qualification is good for this purpose. On priorities – yes agree all upside down. I think the issue I have been wrestling with is that IA has exactly the same challenge as management and should think as broadly as managers do. I would caution that guest auditors is a balancing act, managers are not fully internal auditors, not auditors fully management, so balance that throughput carefully.

  2. July 21, 2013 at 8:36 AM

    Norman: Thanks for the post. I believe part of the problem continues to be cases where there is misalignment between the board and the goals/objectives of senior management. The fact that IA usually has split allegiances, for a variety of reasons, and must sometimes choose which they will align with when “push comes to shove” continues to be a problem – a problem that is not easily solved in cases where the goals of management and the board diverge. The reality is that the external audit profession faces the same dilemma when they must choose between the best interests of the board or the best interests of management who they often see as their primary customer.

    I believe that, ideally, IA should focus on the simple primary outcome of ensuring senior management and the board are aware of the true state of retained/residual risk related to key value creation and potentially value eroding objectives. A key sub-objective, particularly during the transition phase, is to help their organizations develop robust risk management processes capable of achieving this outcome. Sometimes management will not want the board to be aware of the true state of retained/residual risk for a variety of reasons. IA will then have to make a moral decision if they are aware of the true state of retained/residual risk whether to share that information with the board. The fact that a large percentage of IA shops have still not done a comprehensive assessment of the effectiveness of their organization’s risk management processes per multiple IIA surveys (IPPF Standard 2120) suggests that many IA shops are either not competent to do the assessment and/or reluctant to candidly report their opinion on the effectiveness of risk management processes which might be perceived as reflecting badly on the management team.

    The biggest factor that is changing the game and resulting in the EY, PwC, KPMG, Deloittes of the world reporting growing dissatisfaction with IA is that the responsibility of the board to oversee risk governance is becoming increasingly clear and increasingly codified. This is causing boards and management that were happily complacent with poor quality IA shops in the past to rate things as good to excellent in the past to rethink their views. As the importance of risk governance and risk oversight grows so are expectations of IA. This is a good thing.

    We believe the days of “supply driven” ERM and IA are drawing to a close and there are signs the better organizations are moving to “board driven/objective centric” ERM and IA. This transition clarifies what the key outcome based objectives for IA should be – ensuring that senior management and the board are fully aware of management’s true risk appetite/tolerance and the potential consequences. For those interested more information on this transition is available in a presentation I will be making at IIA conferences around the world over the next year.

    http://riskoversight.ca/wp-content/uploads/2011/03/Risk-Oversight-Inc-Board-Driven-Objective-Centric-IA-ERM.pdf

  3. Deb
    July 21, 2013 at 10:49 PM

    Norman:

    While your analysis is sharp and relevant as usual, I perceive a dichotomy between two sections (not in the way you analyse, but actually on the findings and learnings from the referred study).

    In the IA leaders inputs part, we’re told that a majority of “…audit committee members put financial audit and accounting as the most important skill for internal auditors (52.63%)…”. On the other hand, the ‘learning’ say that “The study supports the view… that internal audit departments are not meeting the needs and expectations of audit committee and top executives” (fair enough, but not meeting even financial audit & accounting expectations, ref. above!), and go on to say that “we should focus more on assurance… to the ability of the management team and the board to drive and achieve results”.

    What I perceive from the above is that we perhaps want to be like horses (regret the comparison!) which want to bolt ahead leaving the cart behind?! If all that the majority of ACs expect IAs to have is basic accounting and auditing skills, can they expect the same IA shops to deliver objective-centric risk-based internal audits? That is where I find Tim’s ‘demand-driven’ approach a better fit for organizations (and markets) at varying levels of risk understanding/maturity – create the demand first, and then cater to the demand. (if IA is allocated enough resources to create capabilities first – which many IAs do on their own anyway – waiting for the demand, then by all means do please go ahead, but that may mean inefficient use of scarce resources in economic terms!). In such a demand-drive scenario, the expectations from IA would be much better understood and laid out with crystal clarity, to enable IA to plan its resourcing strategy and audit coverage in the most efficient way.

    Deb

  4. Norman Marks
    July 22, 2013 at 6:17 AM

    Deb, you bring out an interesting point: that audit committees appear to focus on financial matters. That observation is not surprising given their primary role on financial reporting and the continuing emphasis by the CPA firms on such. It is also not surprising because CAEs are not showing them that more can be done – and, through education, driving audit committees to demand more.

    Through my 20+ years with audit committees, I cannot recall when I shared an analysis of the risks that matter and how I planned to address many of them, going way beyond financial risks, that they ever tried to dissuade me. On the contrary, they saw the immediate value and ensure I and my people had the resources and training necessary.

  5. Ray
    July 24, 2013 at 6:15 PM

    Norman – I like EY’s #1 driver for improving IA. Based on this, it would seem External Audit fees should go down while IA remuneration (salaries or fees) should be going up!

    I tend to agree with Tim and Deb on “demand-driven IA”. From a professional services perspective, we often advise clients on the areas to be covered in the IA scope. For some reason, many client management and AC have the view that our scope is always too extensive, or they’ll insist on the same scope to be completed in an unreasonable timeframe. What it usually boils down to is “give me the bare minimum I need” (whether that minimum is compliance with Exchange requirements of other jurisdictional regulations.

    Perhaps it’s just the jurisdiction in which I operate, but I feel more AC members and senior management need to be better “educated” in terms of risk management and internal controls, and not treat IA as a necessary evil.

  6. July 25, 2013 at 5:15 AM

    In the corporate world, an internal audit checklist is an important road map that enables companies to identify potential problems in their operating activities. More importantly, the checklist helps internal auditors conduct corporate reviews in accordance with generally accepted auditing standards. It also enables auditors to review internal processes in conformity with Institute of Internal Auditors guidelines.

  7. Bill Stephens
    July 29, 2013 at 4:45 PM

    Norman, you are right on with all your comments and especially in regard to your disagreement of the 500 respondents putting financial audit and accounting as the most important skill for internal auditors. That is so “old school” and Barb Riker is right that IA’s no longer have to have an accounting background. IA needs to be able to provide value from a business perspective more than financial. You made a great point criticizing that only 21.64% saw the need to improve risk management skills, 18.13% to address technology, and few identified soft skills as important.

    I attended your presentation at the ISACA Conference in LA when you spoke on “A Vision and Strategy for IT Audit 2015”. It was great and coincides with your point regarding only 26% of respondents say they are heavily involved in addressing IT risks. You state “organizations must be prepared to aggressively leverage new technology to remain competitive, while at the same time effectively manage the related risks”. The sad thing that I realized at the conference was that only one Audit Manager seemed to tie IT Audit with company business risks together while most of the young IT Auditors only seemed concerned about technology. I listened to Peter Diamandis speak at another conference and his topic was on “Innovation & Breakthroughs” and if you saw where he has technology in the future you would clearly see why Management and IA should be focusing on IT Risks.

    I agree with Tim Leech’s comments too. As an IA I have been trying to push risk management and the GRC process but I find that a lot of Senior Management teams aren’t ready for IA playing that role. They feel a little threatened that IA is more proactive in certain areas like this than they are. As for Boards and Audit Committees, this puts a lot of them out of their comfort zone because it’s new to them. It’ll be interesting where IA is 5 to 10 years from now and its relationship is with Senior Management teams and the Boards/Audit Committees.

  1. July 22, 2013 at 7:45 AM
  2. August 22, 2013 at 3:06 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: