A Call For Internal Audit Change
The IIA has released a new report calling for change. Enhancing value Through collaboration: A call to action has a lot of value, drawing on the results of IIA, KPMG, and PwC surveys and reports among others, together with insights and comments from IIA leaders and CAEs.
Change is needed because “ Fewer than half (49 percent) of senior management responding in PwC’s survey believe that internal audit is performing well at obtaining, training, and/or sourcing the right level of talent and the right specialists for its needs.”
The IIA report references five strategies that internal audit leaders should adopt for success:
- Improve Upon Alignment With Expectations of Key Stakeholders
- Assume a Leadership Role in Coordinating the Second and Third Lines of Defense
- Enhance Internal Auditing’s Capability to Address Critical Strategic Business Risks
- Develop and Implement Knowledge and Talent Acquisition Strategies
- Become a Trusted Advisor to the Audit Committee and Executive Management
Some of the excerpts with which I agree include:
– There is a need for “a global shift toward greater coverage of risk management, business strategy, and governance” by internal audit.
– Sprint CFO Joe Euteneuer tells PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”
– The first step, according to KPMG’s report, is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risk and related controls — not just compliance and financial reporting risks.”
– Internal audit needs to shift its mindset and be cognizant of an ever-changing operating environment.
– Presuming maturity of the company’s internal control structure, the CAE should present a strategic internal audit plan, spanning three to five years and showing a reduction in assurance services and an increase in advisory services — in accordance with what the internal control structure will permit. The CAE should not lose sight of the need for flexibility and adaptability in response to emerging risks. Such a plan should present in detail how those advisory services will be performed and how they tie into the company’s business plan.
– “It becomes incumbent on CAEs to communicate clearly where within their audit plans they have identified and addressed the organization’s key strategic and business risks. Explicit rather than implicit communication with full transparency is needed to avoid any misunderstanding of this critical risk coverage.” — Richard Anderson, Clinical Professor of Risk Management, DePaul University
Some believe I speak for the IIA – that is not correct. From time to time, I disagree (sometimes strongly) with official IIA positions. That happens to be the case with some of the advice in this IIA paper.
The IIA “advocates educating key stakeholders on the three lines of defense model, comprising management controls, risk management, and internal audit. Communicating this model and coordinating with other assurance providers has made slow progress.” I disagree, but will cover my issues with the three lines of defense model in another post.
Today, I want to comment on the first of the five strategies, “Improve Upon Alignment With Expectations of Key Stakeholders”.
The paper talks about understanding the expectations of the board (and top management), agreeing with them on what constitutes value, and then delivering that value.
At first glance, this seems reasonable and appropriate.
The trouble is that most boards and top management have no idea what internal audit is capable of doing – which is why so many insist on internal audit focusing on financial and compliance risks, rather than expanding into strategic and operational areas. It is also why boards are not demanding that internal audit provide assurance on risk management or address the risks of failures in governance processes.
If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past.
Instead, we must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, and so on.
Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities. Where needed, we must expand our capabilities so we address these key risk areas in a professional and competent manner.
For example, Lord Smith of Kelvin told the International IIA Conference in Kuala Lumpur that “the fish rots from the head down” and that the greatest risk to an organization relate to defects in the CEO and his executive team.
Where we are witness to failures at the C-suite level, should we behave like the three monkeys because the board and management do not expect us to address that risk?
Or, do you disagree?