Time for internal audit transformation
I have been writing for a while now, both here and at Marks on Governance, about the need for internal audit to (among others):
- Move to enterprise risk-based auditing
- Audit at the speed of the business
- Communicate the results of its work, including its insights and advice, when they are needed – enabling informed and more effective decisions by management and the board, and
- Work with and for other committees of the board, not just the audit committee
When I wrote about the need for transformation in an article that will be published shortly in the IIA’s magazine, some reviewers expressed the opinion that most internal audit departments have already made that transformation.
I don’t believe that to be true, although if it is then it’s great news!
I believe that most internal audit functions are in the process of transforming. Some have made the move, at least in part, to a more flexible and dynamic audit plan that is updated quarterly or (better) monthly instead of relying on an annual plan. (Because the annual plan leaves you auditing what used to be a risk).
Some departments have moved from full scope and lengthy audits to more nimble, shorter, and focused audits that let them complete their work and share their assessments and advice faster.
A very few departments have realized that a formal audit report, in the traditional manner, takes time and delays communication of results to those who need the information to drive action and decisions. IIA Standards do not require a formal report, only that IA communicate the results of its work. If we are to help the board and executives manage the business at speed, we have to provide significant information at speed. That means that we supplement or even replace the traditional audit report with other forms of communication – from phone calls and meetings, to integrating audit results into management dashboards.
Some CAEs now share their insights, assessments, and advice with a risk committee as well as the audit committee. But few, in my experience, provide reports on strategic risk to the full board, compliance risk to the compliance committee, or governance-related risks to the governance committee of the board.
So while some have transformed their internal audit departments to a degree, I don’t believe many have addressed all of these transforming actions.
In August, Paul Sobel (former chair of IIA and a highly-respected CAE) and I held an OCEG webinar on world-class internal auditing, the subject of my 2014 book. (It followed an OCEG webinar with Richard Steinberg on world-class risk management, the subject of my 2015 book).
In that webinar, I asked the attendees some polling questions. Here are the results:
|Is this a time for internal audit transformation?|
|We have already made the change||19%|
|Is your audit plan based on enterprise-level risks, or on an assessment of risks within process/locations/business units?|
|Risks within processes, business units, etc.||17%|
|A combination of the above||69%|
|It is not risk-based||3%|
|How often is your audit plan updated?|
|As risks change||33%|
The results seem to support my assessment of whether internal audit departments have completed their transformation or are in the process.
Paul and I were pleased to see the recognition that there is a need for transformation. 19% believe they have already transformed. My hats off to them!
We were also pleased to see that relatively few remain wedded to the traditional risk assessment process, where the audit universe is risk-ranked and risks within elements of the audit universe (business units, processes and so on) are included in the audit plan. While only 11% have moved to enterprise risk-based audit plans, the majority build the audit plan based on a combination of top-down and bottom-up risk assessments. I interpret that as their being in transition, because risks that matter to the organization as a whole should take precedence over those that matter to a department or leader of a business unit.
About half of the audit departments represented still rely on an annual plan and only 33% have a dynamic plan that is updated as risks change.
So where is your audit department?
Is there a need for transformation?
By the way, I enjoyed this article about internal audit becoming an organization’s “tiger team”, helping to solve problems.