Home > Audit, Compliance, COSO, Governance, GRC, IIA, Risk, Sarbanes, SOX > Leaders of internal audit should never be satisfied

Leaders of internal audit should never be satisfied

September 12, 2014 Leave a comment Go to comments

If you think you are world-class, it is time for you to consider change.

Our organizations and the risks they face are changing constantly and the pace of change is increasing.

Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.

Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:

OK, you and your team have been recognized as adding huge value and being world-class.

Do you stop there, confident and happy in your success?

No. What is world-class for your organization today may be insufficient for tomorrow.

The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.

I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.

Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.

We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.

This is what I had to say about the future of internal audit:

Internal audit has made great strides since I first became a CAE in 1990.

We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.

The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.

But that leading edge is a thin one.

Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.

Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.

As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.

Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.

Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.

Those that do will create a competitive advantage for their organizations.

Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?

Are you ready to adapt to tomorrow’s challenges?

I welcome your comments.

  1. Ricardo Atencia
    September 12, 2014 at 6:59 PM

    This is a very good and timely reminder for our profession.

  2. Elizabeth
    September 14, 2014 at 4:27 PM

    So true…complacency should never be the excuse – survival is dependant on innovation and adaptation of our environment.

  3. September 16, 2014 at 11:34 AM

    Norman, this question is not relating to the topic but this is how I can reach you quickly I guess. What is the best approach to auditing to use in internal audit and why? Given that you should be well in the know of the different transitions and changes in the profession. Please enlighten me. I’m seeking to make some improvement in my department here. Thanks in advance.

    • Norman Marks
      September 16, 2014 at 1:06 PM

      Tamika, please contact me offline at nmarks2@yahoo.com and give me more info on your situation.

  4. September 23, 2014 at 2:21 PM

    I definitely agree that Internal Audit should be constantly working toward higher performance, but that can often cause as many problems as it solves.

    From your book: “Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.”

    Quite often, Audit Committees don’t want the additional responsibility to fall within their committee confines. After all, strategy is a full board issue. When I’ve been in a company where, as the CAE, I attended the full board meeting, I was engaged much more readily for higher level items. In those where I was confined to the audit committee, it has always been with expectations to “cover the ground we’ve won and move ahead slowly.” I’m not sure education is the full answer.

  1. September 12, 2014 at 10:46 AM
  2. September 30, 2014 at 3:06 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: