Home > Audit, Compliance, COSO, Governance, GRC, IIA, Risk > Auditing Forward

Auditing Forward

September 6, 2014 Leave a comment Go to comments

One of the new Core Principles for the Professional Practice of Internal Auditing proposed by the IIA’s Exposure Draft (if you haven’t seen it, read it, and responded please do so) is:

  1. [Internal Audit is] insightful, proactive, and future-focused.

The last two adjectives, proactive and future-focused, translate to internal audit “auditing forward”.

This is an expression I only heard for the first time this year. It may have been one of the other members of the IIA Task Force that used it; but whoever said it, it resonated with me.

I have a chapter on “Auditing Forward” in my book on World-Class Internal Auditing and the best way for me to explain my thinking is through excerpts.

I assess my effectiveness as CAE by my ability to prevent internal control or risk issues when I can, rather than identify them (and find fault) when they already exist and represent an obstacle to organizational success.

If you are familiar with the CSI TV series, you can imagine a crime scene investigator entering a room and telling a detective “you have a dead body”. If I can, I prefer to be working with management to ensure there are reasonable controls that would prevent a dead body.

That means a couple of things: seeing the value of internal audit as helping improve risk management and controls, and “auditing forward”.

“Auditing forward” means being involved in new initiatives and projects [such as a pre-implementation controls review of a new IT system], providing consulting advice that helps management implement a reasonable level of controls and security.

It means seeing our success as linked to the success of management. If management implements a new system without sufficient controls or security, when we had an opportunity to warn them, it reflects as a failure on our part. Either we failed to identify the issue, to persuade management it was important, or to work with them on corrective actions that addressed the problem.


“Auditing forward” also means auditing the risks that impact today and tomorrow, not limiting your focus to what has happened in the past.

Is there value in somebody telling you that the road in front of the house you lived in last year is being repaired? You only want to know about road conditions where you are likely to drive now or in the future.

In the same way, internal audit needs to provide assurance and consulting advice on the risks of today and tomorrow. Telling management what has been a problem in the past has some limited value, but only to the extent that those conditions continue to exist and similar problems may continue into the future.

Wayne Gretzky’s father advised him to “skate where the puck’s going, not where it’s been”.

Internal auditors need to take this advice to heart and audit where the risk is going to be, not where it has been.

That requires:

  1. Being sufficiently agile to change the internal audit plan as risks and business conditions change; and,
  2. Knowing that risks and business conditions are changing.


Business leaders and the board like it when internal auditors talk about the business using the language of the business; when we can demonstrate that we understand what the company is doing and where it wants to go; and, where we can show that our work is directed to helping them succeed – arriving safely where they want to go.

Do you “audit forward”?

I welcome your views and comments.

  1. September 7, 2014 at 9:48 AM

    Norman – yes I agree with auditing forward, but this does depend on management’s and the organisation’s risk maturity. Most management teams I have met are actually issue managing, or if you are lucky, proximate risk managing. For no CEO gets rewarded for preventing something that may never happen, rather they are measured on dealing with things as they are happening. So yes in theory – but the practice is somewhat different!

  2. Richard Fowler
    September 8, 2014 at 8:17 AM

    It seems to me that being “insightful, proactive, and future-focused” can still be part of the traditional audit role. These characteristics do not preclude an auditor from looking at processes or transactions in the past, identifying trends and root causes of problems, and making recommendations to correct those issues from recurring. Going back to your CSI example, preventing a death is ideal; preventing the next death through your investigation and corrective actions might be just as important.

  3. September 8, 2014 at 9:47 AM

    I’ve always referred to my auditors as the value ladder, where the rungs are (from lowest to highest), recovery, reliance, risk-based audit, and management requests. To Richard’s point, we will likely spend most of our time in risk-based audits (preventing the next death), but we should strive to be engaged in consultive, pre-implementation management requests (thereby saving both lives). Getting there requires building trust and convincing management and the audit committee of the true value of Internal Audit.

    BTW, I have purchased your book and look forward to reading it soon.

    • Norman Marks
      September 8, 2014 at 9:49 AM


  4. Don Sparks, CIA, CISA, CRMA
    September 8, 2014 at 4:32 PM

    This quote has appearred in audit presentations for decades: [Charles F. Kettering] My interest is in the future because I am going to spend the rest of my life there.

  5. Anthony
    April 2, 2015 at 4:12 PM

    Mark, I believe your commentary is on point. Internal audit’s mandate must be to provide the right balance in assurance and advisory, value preservation and value creation. I do also support my learned colleague on the proffered commentary that there is a correlation it the rate or traction on auditing forward and the risk maturity of the organization, but even in this context IA should take the lead in improving the ERM competency of the company. Development and delivery of emerging risks plan to the buisness is an immediate added value.
    To achieve this mandate business alignment, risk focus on business objectives, talent management, critical thinking, and stakeholder alignment are key attributes that must developed and consistently applied. Looking forward to the formal introduction by the IIA on the enhanced IPPF; and good work by you and the rest of the advisory team

  6. Sundar A. Rodriguez M.Com.,FCA.,DISA.,CFSA(USA).,FAIA(UK).,
    April 3, 2015 at 6:06 AM

    We look at the past to infer the understanding of the movement of the potential risk, assessing the risks both internal and external, and then use them to predict the future risks and tune our audits to add value to the organization from the future perspective.

  7. Norman Marks
    April 3, 2015 at 6:31 AM

    Sundar, I agree that the past may be an indicator for the future. But that is not always the case when our business and its external environment are changing at today’s pace.

    Which is the area of greater risk, the path we have trodden before or one we have not?

  8. Norman Marks
    April 3, 2015 at 6:46 AM

    Sundar, I agree that we not should stop worrying about risks that remain and focus exclusively on the new areas of risk.

    However, I am suggesting that our focus should be on helping management as they run the company now and in the near future. Where the greatest risks are in existing processes, then focus IA resources there. But, often these risks are well understood and we add little value. The greater value may be in providing assurance that their are guard rails to the path ahead.

    Even when we audit existing areas of risk, our attention should be how our assessment and recommendations make the path ahead safer and the organization’s objectives more likely to be achieved.

    Do you agree?

  9. April 4, 2015 at 8:09 AM

    It is absolutely important for the CAE to have a multi-disciplinary / multi-skilled IA Department having the complete panoply of expertise vis-à-vis the nature of business, besides having a thorough understanding of the business of the organization. The kind of business knowledge that the CAE has would determine his success at ‘the table’ and the organization. This would ensure that he has a better blend of financial and non-financial performance metrics that are essential for ‘effective internal audit’. In fact, it is the non-financial performance measurements that would help him identify early indicators of success or otherwise of the business. These metrics would not only help him evaluate past performance but facilitate improved prediction of the future performance with a fine-tuned mix of KPIs as well as lead and lag indicators. The management needs up-to-date data: financial as well as non-financial. The CAE, if he has the wherewithal of the essentials, would be able to advice the management on the critical issues and the health of the organization. That would mean: using the tools of analytics and automated testing and continuous monitoring of risks and controls for enhanced business assurance, increased focus on identified as well as emerging risks with a forward looking and proactive style of dynamic reporting. With ‘auditing forward’, I am sure, the CAE would be a confirmed ‘strategic contributor’ to the organization.

  1. September 6, 2014 at 11:14 AM
  2. July 12, 2015 at 12:05 PM
  3. July 24, 2015 at 2:45 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: