IIA Insights on Internal Audit Effectiveness
Two new reports from the IIA are worth downloading and reading carefully:
- Benchmarking Internal Audit Maturity, by Abdolmohammadi, D’Onza, and Sarens
- Voice of the Customer: What Stakeholders Are Telling Internal Audit, by Harrington and Witzany
I read the Benchmarking report first. Written by three eminent academics, it summarizes results from the IIA’s CBOK survey and attempts to assess the maturity of internal audit departments around the world.
I say “attempts” because it does not really share a full maturity model with us. I would expect to see something that takes key attributes of performance and defines what can be expected at different levels of maturity. Instead, it lists (without always providing a clear definition) several attributes and indicates how many report they have achieved some level of performance against them.
For example, it talks about aligning internal audit work with the strategies of the organization, but does not explain what that means. I doubt that it means that all internal audit engagements are designed to address critical risks to the objectives of the organization as a whole. If that were the case, very few would audit payroll, fixed assets, accounts payable, or employee expenses. When have you ever heard of an organization failing, or even substantially missing performance targets, due to control failures in any of these areas?
Even so, 45% of internal auditors responding to the CBOK survey said their department’s plan was not really aligned!
That is a problem.
How can we expect to be contributing to the organization’s success if the audit plan is not driven by the organization’s strategies and related risks?
In the second CBOK study, written by my friends, Larry Harrington (current IIA chair) and Angela Witzany (incoming chair), the same topic is explored – with more meaningful results. (Perhaps this is to be expected: practitioners vs. consultants).
Internal auditors must understand the mission, strategy, and objectives of their organizations. This was a central, overriding message from all categories of stakeholders. Whether they are board members or part of executive management, stakeholders are primarily focused on the organization’s success in accomplishing its mission. Naturally, they want to see internal auditors looking at their role in the same way, concentrating on how they can help the organization be successful.
One area addressed quite well in the Maturity report is internal audit’s risk assessment activity, the basis for the audit plan and the engagements that are performed.
Apparently, 32% only update their assessment of risk (and, I assume, their audit plan) once a year; 23% do so continuously; 36% periodically; and 9% never update their assessment!
While this is better than it has been in the past, I don’t believe that risks only change once a year, or even once a month! If we want to audit the risks of today and tomorrow, we have to constantly be aware of the changing risk environment.
According to the Witzany/Harrington report, executives are well aware of the need for internal audit to audit what matters now and in the near future:
A CFO in the United States expressed it this way, “Because technology is changing so much, we need to be focused on things that are happening right now. Ideally, [internal audit] can be looking at the future, but we can’t get there just yet.” Many others, however, recognize that future risks cannot be sidelined because they will soon be current risks. A chief executive officer (CEO) from South Africa commented, “Risks are always changing.
Now, the academics included in their maturity assessment whether internal audit has a formal, current, audit manual.
Sorry, but in these days of dynamic change, a formal manual with documented audit procedures is one of the very last things I would worry about. In fact, if a lot of time is spent documenting today’s practices, it is not only going to be out of date very quickly but will consume resources that need to be spent auditing risks that matter.
One interesting topic in the second CBOK study talked about the value of assurance and whether it should be prioritized over advisory/consulting work.
I was very pleased to see the executives say that assurance comes first – and you do advisory work with remaining available resources. I have held this position ever since I became a CAE more than 25 years ago.
“Assurance activities would still go first, and if there are sufficient resources, the remaining resource will go for consulting.” —Board Member, Taiwan
“Assurance is essential and consulting is nice to have, but should be second in priority.” —Board Member, United States
“First of all, priorities should be identified. I think assurance activities come first.” —Executive Management, Turkey
All in all, these are useful reports and I recommend downloading and reading them both.
What is your reaction to these points, especially the focus on assurance and the need for continuous risk assessment and updating of the audit plan?