Home > Risk > IIA Insights on Internal Audit Effectiveness

IIA Insights on Internal Audit Effectiveness

Two new reports from the IIA are worth downloading and reading carefully:

I read the Benchmarking report first. Written by three eminent academics, it summarizes results from the IIA’s CBOK survey and attempts to assess the maturity of internal audit departments around the world.

I say “attempts” because it does not really share a full maturity model with us. I would expect to see something that takes key attributes of performance and defines what can be expected at different levels of maturity. Instead, it lists (without always providing a clear definition) several attributes and indicates how many report they have achieved some level of performance against them.

For example, it talks about aligning internal audit work with the strategies of the organization, but does not explain what that means. I doubt that it means that all internal audit engagements are designed to address critical risks to the objectives of the organization as a whole. If that were the case, very few would audit payroll, fixed assets, accounts payable, or employee expenses. When have you ever heard of an organization failing, or even substantially missing performance targets, due to control failures in any of these areas?

Even so, 45% of internal auditors responding to the CBOK survey said their department’s plan was not really aligned!

That is a problem.

How can we expect to be contributing to the organization’s success if the audit plan is not driven by the organization’s strategies and related risks?

In the second CBOK study, written by my friends, Larry Harrington (current IIA chair) and Angela Witzany (incoming chair), the same topic is explored – with more meaningful results. (Perhaps this is to be expected: practitioners vs. consultants).

They say:

Internal auditors must understand the mission, strategy, and objectives of their organizations. This was a central, overriding message from all categories of stakeholders. Whether they are board members or part of executive management, stakeholders are primarily focused on the organization’s success in accomplishing its mission. Naturally, they want to see internal auditors looking at their role in the same way, concentrating on how they can help the organization be successful.

One area addressed quite well in the Maturity report is internal audit’s risk assessment activity, the basis for the audit plan and the engagements that are performed.

Apparently, 32% only update their assessment of risk (and, I assume, their audit plan) once a year; 23% do so continuously; 36% periodically; and 9% never update their assessment!

While this is better than it has been in the past, I don’t believe that risks only change once a year, or even once a month! If we want to audit the risks of today and tomorrow, we have to constantly be aware of the changing risk environment.

According to the Witzany/Harrington report, executives are well aware of the need for internal audit to audit what matters now and in the near future:

A CFO in the United States expressed it this way, “Because technology is changing so much, we need to be focused on things that are happening right now. Ideally, [internal audit] can be looking at the future, but we can’t get there just yet.” Many others, however, recognize that future risks cannot be sidelined because they will soon be current risks. A chief executive officer (CEO) from South Africa commented, “Risks are always changing.

Now, the academics included in their maturity assessment whether internal audit has a formal, current, audit manual.

Sorry, but in these days of dynamic change, a formal manual with documented audit procedures is one of the very last things I would worry about. In fact, if a lot of time is spent documenting today’s practices, it is not only going to be out of date very quickly but will consume resources that need to be spent auditing risks that matter.

One interesting topic in the second CBOK study talked about the value of assurance and whether it should be prioritized over advisory/consulting work.

I was very pleased to see the executives say that assurance comes first – and you do advisory work with remaining available resources. I have held this position ever since I became a CAE more than 25 years ago.

“Assurance activities would still go first, and if there are sufficient resources, the remaining resource will go for consulting.” —Board Member, Taiwan

“Assurance is essential and consulting is nice to have, but should be second in priority.” —Board Member, United States

“First of all, priorities should be identified. I think assurance activities come first.” —Executive Management, Turkey

All in all, these are useful reports and I recommend downloading and reading them both.

What is your reaction to these points, especially the focus on assurance and the need for continuous risk assessment and updating of the audit plan?

  1. July 24, 2016 at 9:46 AM

    Deloitte et al. have a (hidden) commercial bias: the more change is needed, the more money can be earned. Since there is nothing as constant as change, that is not a bad business model after all. Admittedly, Deloitte produces highly valuable research that you can use in practice. Much appreciated, really! I fully concur, COMBINED ASSURANCE is a very promising path forward. With this perspective I expect that the 3LoD-model and the underpinning thinking will be falling apart, eventually.

  2. July 25, 2016 at 12:28 AM

    Norman, maybe you can share your thoughts on the ‘Internal audit ambition model”. It is a publication bij IIA The Netherlands and the NBA, the Dutch organisation of CPA’s. You can easily find it on the internet. It does contain a more detailed model.

  3. Mark Ruppert, CPA, CIA, CISA
    July 28, 2016 at 5:03 PM

    I appreciate very much that the Voice of the Customer survey simply asked our stakeholders what they liked and wanted instead of asking them to rate their perception of our performance as a profession; the latter seems counterproductive to getting out the good news about Internal Audit. We need to understand what our customers want and maintain our focus there, but as far as how we’re doing in that regard, it seems most useful to pursue that more detailed feedback on an individual organization basis where are the related variables are better known.
    That said, either way survey results must always be analyzed with our professional skeptical minds at full alert: they can be useful but so often misinterpret what they find because of the difficulty in knowing all the variables that might affect how someone interprets and answers a given question. Case in point on the maturity survey – while the IIA may have attempted to define comprehensive versus focused risk assessment, there is not a globally accepted definition of these (or many risk factors for that matter) so do we really know what the answers mean and how much similarity or variability exists in this area?
    Please don’t take my comments to mean I find the surveys meaningless, I’m just careful in assuming we learn more than we really learn.
    As to what we have to work with, I prefer to compare the maturity results with the voice of the customer results and for me, some of what I gleaned is as follows:
    • In terms of maturity, I would define a mature internal audit function as one that effectively provides what is expected of an audit (assurance) and produces it in a manner that general meets the expectations of its stakeholders. No matter how we slice and dice it, if the organization board is
    • To best address stakeholder needs, a mature internal audit function must provide effective assurance services at its core. This is not defined as evidence of internal audit maturity anywhere in the maturity study and in fact I only mentioned as a CAE quote in relation to risk assessment and otherwise only in relation to internal audit focus on continuous quality improvement. Are we simply assuming that all internal audit shops are mature in how they provide assurance or should we rethink what mature assurance should be or become?
    • Risk is certainly important and internal auditors should certainly be focusing its limited resources on the highest risk areas, at least most of the time. That said and when considering maturity, the maturity of the risk arena is certainly other than adulthood. The approaches from one shop to the next are as much similar as they are dissimilar; I rarely speak with any two CAEs who assess risk in the same exact way, which seems to make comparisons by approach less meaningful than comparison by results. But, how do we define results of risk assessment and, for that matter, risk management (beyond the context of risk management as the management of insurable risks)? Based on how well everyone predicted and addressed the 2008 financial crisis, how would we evaluate risk assessment results and what might it say about risk assessment maturity levels? Or maybe risk assessment is as mature as it can get given the inability to predict future events and reaction to those events?
    • At the end of the day no matter how comprehensive or focused risk assessment becomes, it is only as good as its weakest link: the effectiveness of the decisions made by the organizational leaders. Can we easily assess decision making? Maybe one day, but for now decision-making is the biggest risk to any organization without or without an assessment list, matrix, array or otherwise.
    • When comparing these surveys, certain truths emerged for me:
    oo We must know and understand the organizations leaders and the tone at the top;
    oo We must be freely permitted to offer assurances and identify when assurance cannot be provided or is not evident;
    oo We must accept that even with our input, decisions may be made that defy reason and achieve results that differ from what a given risk assessment may suggest at the time the decisions are made;
    oo We must continue trying to timely refine our approaches in changing environments and relative to changing stakeholder demands while continuing to provide the most effective assurance services possible; and,
    oo We must never rest on our laurels. We must understand our organizations from strategy to sales in a manner that helps us change and mature with our organizations and the industries and stakeholders they serve.
    I could easily turn most of what is summarized into different questions we might consider asking. We shouldn’t assume we can keep providing assurance in the same old way but we also shouldn’t lose sight of our core mission in the process of defining our latest maturity levels. For example, data analysis is a good effective approach that has helped for many years and is now really a must for auditors since not much remains on paper, what about how mature internal auditors are in focusing on and helping to find ways to build assurance controls and processes into systems and structures to continually improve monitoring systems? Or, instead of focusing so much on how we identify and assess risk assess, what about focusing on how meaningful and useful risk data is to organizational decision-makers, ensuring decision makers are considering the risk information available when making decisions, and how leaders are being evaluated on their decision-making performance?
    I hope this doesn’t seem like a rant; reading through the surveys just got me thinking…

  4. Sergey Utkin
    July 30, 2016 at 12:24 AM

    That’s really helpful to know what stakeholders do expect from IA function. Without that knowedge or understanding of those expectations an IA function has no chance to get a mature one.
    “Sorry, but in these days of dynamic change, a formal manual with documented audit procedures is one of the very last things I would worry about.” I believe that is true and fare for such a guru as Mr. Marks, and when such a guru performes an engaggement without assistants (especially young ones). To my mind documentation is helpful, but it should not bring us to deep beaurocracy and get drawn in tons of useles papers and files. As usual that is the matter of the balance.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: