Time for internal audit transformation
I have been writing for a while now, both here and at Marks on Governance, about the need for internal audit to (among others):
- Move to enterprise risk-based auditing
- Audit at the speed of the business
- Communicate the results of its work, including its insights and advice, when they are needed – enabling informed and more effective decisions by management and the board, and
- Work with and for other committees of the board, not just the audit committee
When I wrote about the need for transformation in an article that will be published shortly in the IIA’s magazine, some reviewers expressed the opinion that most internal audit departments have already made that transformation.
I don’t believe that to be true, although if it is then it’s great news!
I believe that most internal audit functions are in the process of transforming. Some have made the move, at least in part, to a more flexible and dynamic audit plan that is updated quarterly or (better) monthly instead of relying on an annual plan. (Because the annual plan leaves you auditing what used to be a risk).
Some departments have moved from full scope and lengthy audits to more nimble, shorter, and focused audits that let them complete their work and share their assessments and advice faster.
A very few departments have realized that a formal audit report, in the traditional manner, takes time and delays communication of results to those who need the information to drive action and decisions. IIA Standards do not require a formal report, only that IA communicate the results of its work. If we are to help the board and executives manage the business at speed, we have to provide significant information at speed. That means that we supplement or even replace the traditional audit report with other forms of communication – from phone calls and meetings, to integrating audit results into management dashboards.
Some CAEs now share their insights, assessments, and advice with a risk committee as well as the audit committee. But few, in my experience, provide reports on strategic risk to the full board, compliance risk to the compliance committee, or governance-related risks to the governance committee of the board.
So while some have transformed their internal audit departments to a degree, I don’t believe many have addressed all of these transforming actions.
In August, Paul Sobel (former chair of IIA and a highly-respected CAE) and I held an OCEG webinar on world-class internal auditing, the subject of my 2014 book. (It followed an OCEG webinar with Richard Steinberg on world-class risk management, the subject of my 2015 book).
In that webinar, I asked the attendees some polling questions. Here are the results:
| Is this a time for internal audit transformation? | |
| Yes | 75% |
| No | 3% |
| We have already made the change | 19% |
| No opinion | 3% |
| Is your audit plan based on enterprise-level risks, or on an assessment of risks within process/locations/business units? | |
| Enterprise-level risks | 11% |
| Risks within processes, business units, etc. | 17% |
| A combination of the above | 69% |
| It is not risk-based | 3% |
| How often is your audit plan updated? | |
| As risks change | 33% |
| Quarterly | 15% |
| Annually | 49% |
| Other | 3% |
The results seem to support my assessment of whether internal audit departments have completed their transformation or are in the process.
Paul and I were pleased to see the recognition that there is a need for transformation. 19% believe they have already transformed. My hats off to them!
We were also pleased to see that relatively few remain wedded to the traditional risk assessment process, where the audit universe is risk-ranked and risks within elements of the audit universe (business units, processes and so on) are included in the audit plan. While only 11% have moved to enterprise risk-based audit plans, the majority build the audit plan based on a combination of top-down and bottom-up risk assessments. I interpret that as their being in transition, because risks that matter to the organization as a whole should take precedence over those that matter to a department or leader of a business unit.
About half of the audit departments represented still rely on an annual plan and only 33% have a dynamic plan that is updated as risks change.
So where is your audit department?
Is there a need for transformation?
By the way, I enjoyed this article about internal audit becoming an organization’s “tiger team”, helping to solve problems.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
very good and inspiring article. Thanks Norman
I have met a few IA who heads RM department, still the same, focus on their skills and apply the techniques used in IA training. Personally it would take lots of effort for them to get out of their current frame of mind. They need to see the macro and not focus on micro when dealing with the risk otherwise the questions asked will be very stressful for the risk owner. You think so from your experience.
Norman I agree with most of this. I do think, however, we are at danger of replacing one ideological misdescription of reality with another. So, for example, are strategic risk really quick moving? I think we confuse quick moving strategic issues with risks. So business models and customer markets do not change overnight in most cases, they evolve. Perhaps they do change in the tech world by even so the move to online has still taken some time. So is an annual audit plan (which for most functions was a compass not a sat nav map in any case) really so bad? Should we accept that well considered, evidenced, independent and objective papers take a little time to produce. It’s normally weeks not months or years. Perhaps these do have value above and beyond panicked quickly produced management papers? So I do accept your point to reform but don’t replace one faulty and ideological view of how it ‘must’ be done with another!
Some great points here. It’s so important to make sure your audit department is working as effectively as possible. Thanks for sharing your insight!
I agree with all your suggestions – but comment on two:
– Work at the speed of business: There are two elements for IA to think about: (1) Why is the business moving at the speed it is? and (2) is the strategy so ‘granular’ that every market movement requires a rapid response. Both elements can be addressed in a carefully crafted audit of the Business Strategy.
– Work with and for other committees of the Board: IA is often shy about venturing outside the Audit Committee. The question I ask of Boards is this, Who else can provide you with the assurance you need to confirm that decisions taken by you have taken effect appropriately. The responses often are that they didn’t think about using IA because it ‘belongs’ to the Audit Committee. When asking IA why they don’t offer services more broadly at the Board level, the answer too often is, “I didn’t think about it.”