A Call For Internal Audit Change
The IIA has released a new report calling for change. Enhancing value Through collaboration: A call to action has a lot of value, drawing on the results of IIA, KPMG, and PwC surveys and reports among others, together with insights and comments from IIA leaders and CAEs.
Change is needed because “ Fewer than half (49 percent) of senior management responding in PwC’s survey believe that internal audit is performing well at obtaining, training, and/or sourcing the right level of talent and the right specialists for its needs.”
The IIA report references five strategies that internal audit leaders should adopt for success:
- Improve Upon Alignment With Expectations of Key Stakeholders
- Assume a Leadership Role in Coordinating the Second and Third Lines of Defense
- Enhance Internal Auditing’s Capability to Address Critical Strategic Business Risks
- Develop and Implement Knowledge and Talent Acquisition Strategies
- Become a Trusted Advisor to the Audit Committee and Executive Management
Some of the excerpts with which I agree include:
– There is a need for “a global shift toward greater coverage of risk management, business strategy, and governance” by internal audit.
– Sprint CFO Joe Euteneuer tells PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”
– The first step, according to KPMG’s report, is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risk and related controls — not just compliance and financial reporting risks.”
– Internal audit needs to shift its mindset and be cognizant of an ever-changing operating environment.
– Presuming maturity of the company’s internal control structure, the CAE should present a strategic internal audit plan, spanning three to five years and showing a reduction in assurance services and an increase in advisory services — in accordance with what the internal control structure will permit. The CAE should not lose sight of the need for flexibility and adaptability in response to emerging risks. Such a plan should present in detail how those advisory services will be performed and how they tie into the company’s business plan.
– “It becomes incumbent on CAEs to communicate clearly where within their audit plans they have identified and addressed the organization’s key strategic and business risks. Explicit rather than implicit communication with full transparency is needed to avoid any misunderstanding of this critical risk coverage.” — Richard Anderson, Clinical Professor of Risk Management, DePaul University
Some believe I speak for the IIA – that is not correct. From time to time, I disagree (sometimes strongly) with official IIA positions. That happens to be the case with some of the advice in this IIA paper.
The IIA “advocates educating key stakeholders on the three lines of defense model, comprising management controls, risk management, and internal audit. Communicating this model and coordinating with other assurance providers has made slow progress.” I disagree, but will cover my issues with the three lines of defense model in another post.
Today, I want to comment on the first of the five strategies, “Improve Upon Alignment With Expectations of Key Stakeholders”.
The paper talks about understanding the expectations of the board (and top management), agreeing with them on what constitutes value, and then delivering that value.
At first glance, this seems reasonable and appropriate.
The trouble is that most boards and top management have no idea what internal audit is capable of doing – which is why so many insist on internal audit focusing on financial and compliance risks, rather than expanding into strategic and operational areas. It is also why boards are not demanding that internal audit provide assurance on risk management or address the risks of failures in governance processes.
If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past.
Instead, we must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, and so on.
Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities. Where needed, we must expand our capabilities so we address these key risk areas in a professional and competent manner.
For example, Lord Smith of Kelvin told the International IIA Conference in Kuala Lumpur that “the fish rots from the head down” and that the greatest risk to an organization relate to defects in the CEO and his executive team.
Where we are witness to failures at the C-suite level, should we behave like the three monkeys because the board and management do not expect us to address that risk?
Or, do you disagree?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I agree with your comments Norman and when the fish rots from the head and you have done your best to educate the board, what specific actions would you suggest be taken? We can think of many many examples of where the fish rots from the head. Do you believe that t he genesis for the fish rotting from the head is because of the training/education they have received in the past including marketing from the large accounting/consulting firms and if so would you think that we need to be doing something different going forward?
Arnold, I have been in this position. I made sure the audit committee understood and left it in their hands.
This implies that the audit committe does the job (but that is not always the case).
This implies also a lot regarding the ability for IA to “educate” the board or C-suite, and a lot regarding their own ability to receive the IA findings, even if there are negative for them… An essentiel but very very hard work.
Could we imagine other options?
How should we go about educating our board and management without them thinking that we want to over-rule (over-turn) their decisions. I am not fearful to point out where there are potential risk to the organization, but how to do so in a professional and competent manner? You pointed out that some boards are ignorant and ignorant people don’t like to be challenged as they will feel inadequate, and this will breed resentment and grievance. My question is how should one go about addressing these issues in a professional and competent manner?
Also how should one go about addressing the issue of governance?
The ideas are good, and in principle noone can disagree, I think. But implementing this is equally difficult not only because where there is a governance issue, it impacts independence of IA automatically (in most cases), and it becomes more difficult to report to audit commitee on such topics as it it difficult to get evidence of what you are saying.
Our primary constituent is the Audit Committee of Board of Directors. I would add the regulators and shareholders. I would then add management. I’ve seen in heavility regulated industry where the audit function received criticisim for having too cozy of a relationship with management. Management desires collaboration through consulting rather than open criticism communicated in reports and to the audit committee. I understand and would be articulating a similar message. But our primary role of supporting the board with assuring management is sufficiently managing risks including the 2nd level of defense is key. These external constituents should be the primary assesors of internal audit’s performance. Its a difficult dynamic to manage and we do try to be consultative where appropriate.
Educating the board can be a challenge. If you don’t feel comfortable providing a briefing yourself using papers from thought leaders they will respect, you can always invite outside authorities to present. For example, your external auditor may be able to present if they have authored good papers in the area.
Norman – near perfect articulation: “If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past … Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities.” I fully endorse your views. Tom
Norman, I am taking it that inviting external authorities would be based on the board’s approval. Am I correct?
Tamika, it will depend on the audit. The audit committee approves the audit plan and I can tell them when I will co source.
Thank you Norman, I will keep this in mind should the need arise to co source.
Totally agree Norman,
This is the root cause of almost everything in risk management. Wİthout solving this, most of the other treatment attempts would be ineffective.
How many Boards would like to assesss their capability level or wishes to carry a SWOT analysis for themselves?
They think that they are capable because they are appointed to this position. So why would they bother asking for more? Same is valid for C levels.
We have new regulation in Turkey that enables external auditors to dismiss the Board in case of material weakness within some conditions. I am not sure how it will work in practice but I guess it is better than nothing.
Unfortunately this topic is covered with land mines, which I will carefully walk around. Professionally, I am already seeing a trend where more internal audit departments are moving FURTHER, not CLOSER, to the business and focusing on Compliance only because of the many of the things said already in the comments (i.e. politics, self preservation, lack of experience). In my opinion, if you want to really help (consult with or add value to) the business there needs to be distinct lines drawn between how you communicate unmitigated risks and integrated (documented) controls that must work effectively, i.e., maybe we should not make every risk observation an audit issue that goes into an official report. However, that means establishing a risk management process in the company that is designed to (collaboratively) – identify risks (from anywhere), assess risks (with the right people involved) and conclude on risks accordingly (yes, it is ok to accept a risk once in awhile). Once those KEY risks and controls (that must work effectively) are identified then you can include them in the annual audit plan, while continuing to work collaboratively with management throughout the year on identifying/assessing/deciding on risks. BTW it would help tremendously if IIA and other professional risk groups would spend more time in senior executive forums, educating board members and business senior managers.
Jose A. Ortiz, what are you really saying concerning not making every risk observation an audit issue that goes into an official report? I guess that would depend on the level of risk involve. I believe that risk of all level should be documented as that is the only proof that audit addressed the matter identified. Maybe it would not be a detailed report but documented evidence serves to protect the department in the event management failed to address and correct or mitigate that risk and any other threat associated with it.
The problem some internal audit department face has to do with governance; as some board and senior management does not know the real function of the audit department in the organisation and so auditors are sometimes restricted to only compliance. Any attempt to assess and address governance might not be welcome my management.
How should the audit department go about assessing and addressing governance?
Simply put, try to create a way to work more collaboratively with the client through an integrated (enterprise) risk management process. This is not about hiding risks or not communicating risks, it is about finding more effective ways to manage risk by working together, using innovative approaches that keeps everyone engaged in the process. In addition, there are numerous ways to capture (evidence) the work you did, or to capture the decisions made on risks identified, beyond simply documenting an audit report. I am not saying that audit reports are bad vehicles for communicating results, but admittedly they have often created misperceptions about what auditors are trying to communicate, why and to whom. We all can use better alignment across all departments, comprehensive / consistent process and procedures, improved awareness / training, collaboration, and more effective communication. Can auditors lead the way and are they willing? This is for your company to figure out, but success requires a mature risk management culture and consistent tone from the top to the bottom.
I do not believe internal audit should report as issues risks they would accept if they owned the business. We should limit our reports to risks that are outside acceptable ranges, and not include items for CYA or other purposes. That is how you destroy credibility and the ability to influence and effect change.
Norman, I am referring to risk of levels that will impact the organization negatively. I know some level of risk will be tolerable but I am referring to risks that are not tolerable and that would not be acceptable to the board. Your point on not documenting things for CYA purposes is accepted.
I understand my previous post did not come across correctly. Risk at all intolerable levels should be documented. Elaborate on your statement “That is how you destroy credibility and the ability to influence and effect change.” How come?
Tamika, I think we are now aligned. I was talking about auditors who include everything in the report even if they think the risk should be accepted.
Okay Norman. Thank you for your great insight though 🙂
Norman, you have articulated this issue well. I found in my experience the best way to educate stakeholders is one-on-one, based on a professional relationship. Build credibility, deliver results as you go, and map out a path to engage with the Audit Committee chair on one topic at a time to help them understand the proper role of internal audit.
Very good thoughts, Norman, and well stated. I have found that one of the reasons Internal Audit is not providing the greatest value is that the audit plan includes audits of high risk functions even when those risks are mitigated and the functional area receives considerable oversight. It is difficult in these cases for IA to add value other than to confirm what other reviews have noted.
It is likewise difficult to convince the Board that audits should focus on the highest mitigated risks rather than the highest unmitigated risks. The risk committee or ERM team will report high risks to the Board, and the Board in turn wants to see IA address those areas. Even if there is limited value in doing so. And therein lies our conundrum.
Appreciating Norman’s as well as others valuable observations, I also believe that it is very tricky if an internal auditor has to align with the expectations of key stakeholders especially when these key stakeholders are meant to be top management.
Of course Senior management’s expectation might be not to mention any major risk as they do not like it.
Fully agree with you saying “if we only strive to align and meet the expectations of ‘ignorant’ top management, we are doomed to repeat the failures of the past” and I would raise theis question that what would be the benefit of internal auditors then? i.e. an internal auditor who just replicates or aligns himself/herself with that of top management expectation but nothing else!
Norman, I agree with you 100%: We must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, including what Sprint CFO Joe Euteneuer told PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”
For example, an Internal Audit Department that can help management reverse a strategic weakness, e.g. general lack of compliance with project management best practices, will give the company long lasting value added improvement in operational performance over long hau.
I have more to agree than to disagree on change for the internal audit. The real issue for management expectation of internal audit should be standards & follow up of the audit issues as part of management’s action for implementation apart from auditor’s own involvement to advise or consult on new process or new product & services (the process is important here whether internal auditor is required to attend various management meeting or adhoc meeting etc for control and auditing standards especially when budget item becomes the contention for later disputes & turf battle issues for managers on both control and audit side of the isle). Combining these two as part of proactive auditor’s plan confuses both auditors (internal and external in relying on internal auditors independence standard including the role of internal auditor’s time on minutes taking notes at the very least level to help audit and/or management & prove to management at the same time that audit is not viewed as outside personnel rather internal personnel). Management expectation in meeting the very same stake holders expectation of internal auditors role must be clear in the Audit Committee documents also including international or domestic members to avoid confusion. Audit Committee’s role should be even on a higher plateau in recognizing the internal auditors change of roles on the increasing expectation of internal auditors role. I have seen management that recognized difficult role internal auditor has to play within the complexities of changing business environment or climate including regulations/compliance. Many times it is this recognition that brought compliance officer job to the forefront in meeting the same challenge or greater challenge faced by internal auditors.