The state of the internal audit profession
My friend Richard Chambers has written a couple of posts that merit our careful attention.
Frankly, all of his posts merit our attention, but these are important.
I ask that you review:
- The State of Internal Audit: Facts vs. Conjecture, and
- For Internal Audit, the Best Defense Is a Strong Offense
I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)
However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:
In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.
Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.
- Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
- Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.
Richard is far more provocative than usual in his March 27 post when he says:
It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.
Naturally, Tim sees this as labeling his writing as “fake news”.
Richard is 100% correct when he states:
No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.
Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.
I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.
Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.
Let’s look at some more information.
My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.
I strongly recommend reading the piece and noting the eight action items.
One quote by Brian caught my eye:
Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.
I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.
An article in the local business newspaper reported that:
Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).
In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.
“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.
“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”
Tim has every right to challenge the current state of internal auditing and I know Richard respects that.
I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.
There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).
Nevertheless, we need people like Tim to challenge us.
Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.
Richard and I have both shared our views with new books.
- Auditing that matters takes on the issue of auditing the risks that really matter to the success of the organization and then sharing with executive management and the board what they need to know.
- Trusted Advisors: Key Attributes of Outstanding Internal Auditors discusses the “top attributes needed to excel as an internal audit professional and be viewed as the go-to person within the entity”.
I would like to think that between us we have charted a way forward.
Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.
Let’s adopt that mindset for our own practices and profession.
Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.
I welcome your comments.
NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Very thought-provoking, Norman. Similar to your post about the State of Risk Oversight report, in that we should question how the surveys are being conducted and the details that support the summaries that are released. Thanks for sharing.
Much of the discussion is very ‘high level’, with percentages, surveys and opinions being banded about. I have probably been out of the profession for too long, so hopefully someone will correct me if I am wrong but I don’t get any impression of what auditors on the ground are actually doing. Are the troops still using audit programmes? Are reports still concluding, ‘Controls are (un)satisfactory’? The evidence from the UK IIA (https://www.iia.org.uk/resources/delivering-internal-audit/delivering-internal-audit-findings/) is that they are – only one conclusion (example 6) relates to the achievement of objectives.
Consider the bed-rock of internal auditing – the Standards. Do they present a profession which is relevant to the management? Comments are made about the objectives and goals of management but there is little emphasis in the interpretation to 2450 that the conclusions should relate to these goals
The quote above, ‘Stakeholders are challenging us to get out of our swim lanes…’ is very relevant. The only problem is that our swimming costume is so out-of-date that it has a hole in the knee…
If the first and second line of management adopt Tim’s approach, we we get better and more comprehensive assurance on accomplishing business objectives and need less internal auditors inspecting it in. The generally accepted internal audit approach should be challenged as it was good for many years but in declining value in the eyes of many. Sorry IIA but you will be disrupted, like it or not.
“The profession appears to be strong…” referring to the Malaysian internal audit profession. Have lived and worked here in Malaysia for 6 years….the disparity between how things “appear” to be and what they actually are in reality can be larger here, compared to other countries I have lived in.
Forget about surveys as an indicator (that in itself would be a radical change for most consultants). Look at some other indicators to assess the strength of the internal audit (and risk management) professions?. When you go to a conference, look at what sort of people are attracted to it?. Talk to people in organisations as to whether it is easy or hard to attract people?. Ask a CEO how many times he converses with his so called CRO during a quarter?. How well are people paid?. Do we have high quality people jumping out of their skin to join risk management departments? What are the ages of the people who engage in these types of discussions on linked in? Etc. I think there are many other measures we can use….and based on my experience here in Malaysia, Singapore and Australia.. Tim Leech’s article under plays the extent of the problem…yes under plays it. Whether his solutions are 100% right or only 50% right is irrelevant for me, what he has got right is that there should be significant change. Rgs
Both internal audit and risk management are tools available to assist management and oversight bodies with reducing uncertainty. Part of the problem, in my view, is that audit plans and risk logs have become products and ends in themselves – disconnected from the delivery of business objectives. The shortfalls of internal audit and risk management functions will only be addressed when those responsible for control strategies properly understand how to use risk and assurance. The first and second lines of defence should be applying risk management methods where appropriate and should have an opinion on the adequacy and effectiveness of their control strategies. Independent assurance should then be applied, where appropriate, to confirm or challenge this opinion.
Risk management and internal audit will only be truly effective when the right expectations are communicated from the top down. For example, if some level of failure to meet business objectives is experienced, questions from the execs (or audit committee or board) along the lines of:
– Was this risk identified in your risk management process
– Did you have a defined and assessed control strategy that was embedded in management routines?
– Did you use independent assurance to confirm your opinion on the control strategy?
– Was this opinion fed back into your risk management process?
If the answers to these questions are negative, management better have a good reason for not using the tools at their disposal.
Internal audit can only do so much itself. Management need to apply risk and assurance effectively and not just tick the governance box.
Dear all, my humble view: (1) this is not about individuals; that is irrelevant; (2) let’s stop questioning others’ feedback, even if that may be perceived as unfair; (3) the IA profession has much room to grow, there are many dimensions to do so, think e.g. of talking more about the role models in action (how does good look like in a specific context?), shortening the huge spread between top and bottom (there is much nonsense out there which has the lable IA); stop viewing IA as the little brother of External Audit (we are different … make that clearer…); using the QA and IP process much more forceful to make all IAFs a bit better, every day, step-by-step; in a nutshell: make clear/er to everyone (esp. to the key stakeholder/s) what SUCCESS in Internal Auditing is about; there is still mystery around that (…) My 2 cents today, not all-inclusive, of course. IA has huge potential, let’s exploit that more fully – together, the IIA Institute, IA practitioners and academic researchers in the field of corporate governance and management control. How does SUCCESS in IA look like? Let’s talk more about that, in US and in Non-US settings. ☀️☀️☀️ greetings to you all from Rainer (www.drrainerlenz.de)
In Joe McCafferty’s article the first of the eight items that the board want to know from internal audit is, ‘1. Know your organization’s mission, strategy, and objectives’. I’ve looked through the syllabus of the CIA exam and have not managed to find mention of this requirement. Perhaps that’s the start of internal audit’s problem?
Norman: Thanks for referencing my efforts in your post even if you don’t always agree or understand them. (your words) I’m sorry you don’t like the term “direct report auditing” and don’t share my passion for objective centric ERM and IA. “Direct report audit” where IA forms an opinion directly on the subject matter is the only technically correct term I know to distinguish from auditing a management self-assessment risk status representation. I think the fundamental question is whether the traditional internal audit paradigm of planning audits, completing audits, forming subjective opinions on “internal control effectiveness” without assessing the full range of risk treatments/responses, writing audit reports and publishing audit reports, often months after field work is done still meets the needs of customers, including boards, who are also being told they also need to oversee robust ERM frameworks to keep up with a rapidly changing world.
I believe a large percentage of IA shops are still using the traditional IA paradigm (but this would be worth confirming) and that is what is driving the customer dissatisfaction ratings because boards are absolutely expected to oversee management’s risk appetite/tolerance/culture/systems. Why aren’t more IA shops adopting ERM terminology and using it when completing audits? The June 2016 COSO ERM draft stresses that ERM is fundamentally about increasing certainty objectives will be achieved. I struggle to understand why the IIA doesn’t want to push internal auditors to move away from opining on “internal control effectiveness” and focus on whether the board is getting a materially reliable picture of the state of retained risk linked to key objectives. I have believed for many years that IA dissatisfaction, in addition to not meeting today’s expecting emerging expectations very well, is based on parent/child interaction. If I told you I thought the “internal controls” you used to raise your family or keep your family safe were ineffective how would you feel? It’s time to raise the interaction between IA and boards and senior management to adult to adult and focus on whether there is consensus agreement on the acceptability of residual risk linked to top value creation and preservation objectives.
Thanks to Glenn Daly for his comment. 50% agreement would be great as far as I am concerned. Seeing the iIA candidly acknowledge there is “really” a customer satisfaction problem would also make my year. Denying there is a problem and suggesting those that believe there is are just sensationalizing “or worse” the real situation is a step back not forward in my opinion.
Auditor skills have been watered down by SOX in my opinion. Many of these SOX auditors have become one trick ponies. They get settled in on SOX audit scripts and never get the opportunity to investigate and learn how to identify other risks. It is debatable if SOX has even worked. Add the enormous amount of money public accounting companies charge while sending out new untrained and overworked college grads, it is no wonder audit reputation is on the decline.
Basically, here’s how I would view it: in every service profession the challenge is to at least provide sufficient significant relevance (and hopefully much more than that) to the people who use or rely on the service, and to make yourself known. IA, just like external audit, is lucky that in some jurisdictions the IA function is required. If the people who might be interested in IA and what it can provide are senior/executive management, the board/audit committee, shareholders, and regulators (and others?), ask in general terms what services and reports (and the timing of those reports) by IA would significantly benefit and interest them in their job functions, and, more importantly, then also ask that question within the specific organizations and entities. And then make sure that IA can actually provide the valued service and report, and effectively communicates the value that it can and does provide. Everyone already knows this. This has been talked about for years. Within each organization can IA communicate on a single piece of paper the specific services and reports that it is providing or is qualified to currently provide, and the timeliness and ROI, so that management and the board/audit committee, and whomever else, say “Yes, I need that and I want that”? That’s how I view it. The IIA can be very instrumental in this and I see that it is trying. IA within each organization also needs to do the same, and I assume probably is. I have a sense that the word still really isn’t getting out sufficiently. One other comment (although again I realize that none of what I am saying is new), a friend of mine used to start each meeting with brief comments about recent actions and successes that had been recently undertaken and achieved – I find that approach helpful, and thereafter going to the problems or needed improvements and timelines going forward. Have a good day. Thank you all for your continued blog posts, books, articles, comments, etc. David Tate, CPA (inactive), Esq., San Francisco, California
Like humans, Internal Audit functions come in many varieties of quality, some excellent, some virtually useless. My view is that there are quite a number of excellent IA functions reporting to weak Audit Committees, but there will be no weak IA functions reporting to good Audit Committees! In many companies, Internal auditors are unsung heros, often being unpopular when pointing out weaknesses and opportunities and then standing on the sidelines watching management get the rewards for fixing the problems using IA’s recommendations. You also get what you pay for. Sometimes management does not want strong IA functions or personnel and boards get false assurance just by having an IA function in place irrespective of the quality. Bottom line: if the IA function is no good then you know you have an inadequate board.
John: I share your views on the variation in internal audit shops. My sense is more than a few boards wouldn’t know a good one from a bad one. Over the past 30 years I have seen it in practice. The only caveat I would add is I think there are some generally good boards with good directors that don’t really know how to oversee internal audit and ERM at this point in time. Parveen Gupta and I have authored quite a number of articles for Conference Board Director Notes and ETHICAL BOARDROOM in hopes of influencing good directors that genuinely want to do a better job. Our paper on board oversight of risk culture appears to have been one of the most popular.
It was picked up by the Harvard and Columbia law and governance blogs (https://goo.gl/JhsIHn) I know you have lectured at Directors College and Richard Leblanc has also been very supportive spreading the word through Wiley’s Handbook on Board Governance that you played a big role on.
The nature of business disruption is it’s very difficult to see coming from the inside of an organization; the change is applied from the outside. If IA is focused on helping management achieve its stated objectives, we’ll miss it too. We also have to be concerned with existential risks to the organization itself. This requires a bit different perspective.
A former CEO of P&G John Smale wrote: “The board is responsible for the successful perpetuation of the corporation. That responsibility cannot be relegated to management.” If IA sees itself as an agent of the board in addition to management, that may open up our perspective, to focus on threats to the business model (see Drucker “The Theory of the Business”).
We also have to spend more time understanding and helping the organization adapt to its changing environment. The COSO ERM encourages more focus on strategy formulation (pre-objective setting activity) not just post-objective (implementation).
Porter’s opening line in his book “Competitive Strategy” is: “The essence of formulating competitive strategy is relating a company to its environment.” We have to learn how to help our companies do this, and evaluate the processes for doing so.
I’ve re-read the two of Richard’s blogs referred to above, and his opening blog of the year, ‘5 Resolutions for Internal Audit’. I’ve also read the comments on the resolutions and agree with Tim, internal audit needs to revolutionise, not tweak.
While much is being said about the need for change, there is very little evidence of it actually happening. Audit templates are still very popular on the web and, as I’ve said in posts above, there’s not much revolution going on in the IIA standards or exam syllabus.
Where might I see evidence? In the program for the International Conference? No evidence here of any sessions really challenging the internal audit approach outlined in the standards. I appreciate that Tim is occasionally allowed to ruffle feathers at some conferences but I don’t see keynote speeches from Chief Executives challenging what internal auditing is doing, and what it needs to do to be a true ‘trusted advisor’. Though I do note Norman’s blog of April 9, 2010 (https://iaonline.theiia.org/the-rock-stars-of-internal-audit-were-at-the-iias-gam-conference) on the GAM conference, where Larry Harrington seems to have made some relevant comments. Not much seems to have happened in the last 7 years.
Richard noted that, ‘The IIA’s Common Body of Knowledge (CBOK) Stakeholders Study found 64 percent of stakeholders want internal audit to have a more active role in assessing strategic risks.’ But doesn’t that mean that 64% of internal auditors are not providing what their stakeholders require? Figures can be read in many ways but the need for change has been apparent for years. The IIA should be leading and I don’t think it is.
We shouldn’t forget that the greatest risk to any organisation is not fraud, or IT, or loss of reputation – it’s complacency (as Larry said 7 years ago).
David; Great post. In my last comment on Richard’s IIA blog I respectfully suggested not much in the way of real change is apparent to those of us on the outside. Re Tim being allowed to ruffle feathers at the occasional IIA conference I proposed papers at a number of recent IIA global Conferences and it appears the IIA Global doesn’t want any feather ruffling anymore. My IIA blog that I authored for a couple of years around 2009 was cancelled with no explanation. I suspect I was fired for suggesting COSO was in need of change. My course on objective centric ERM and IA that the IIA retained me to teach was removed from the IIA course listings with no notice or explanation. In spite of asking for one they never did provide an explanation. Fortunately IIA Canada has been and continues to be very supportive of feather ruffling and the ACCA in the UK has been a great supporter of getting new ideas out to members. Bill Bishop, past IIA CEO two CEOs back from Richard was very supportive of ensuring contrarian views were presented at IIA Conferences and played an important part supporting the CRSA/CSA movement in the 90s. It would be great if Richard would really push a major change agenda not just little tweaks So far all I have seen is internal auditors should listen to stakeholders and be agile with little details what technical elements should change in the core IA methodology taught in IIA courses and the CIA exam. As far as I know the IIA has still not publicly suggested internal auditors should even use generally accepted risk management terms and methods in their work like “risk treatment/responses” or learn about risk transfer, risk finance, risk avoid, etc.
Tim, I am curious why you talk about “generally accepted risk management terms” when the ones you reference are not accepted. In fact, I have been saying for some time that language is the bane of risk management and we should use plain English.
Norman: I am referring to what exists that could be considered “generally accepted” – ISO Guide 73. It meets SEC due process criteria. It could be improved but it is the closest thing out there that has undergone due process and input from countries all around the world. Certainly if you don’t think the ISO Guide 73 authors are using “plain English” you should provide them with your thoughts. My understanding is that 10s of thousands of hours have gone in to agonizing over the words in the ISO Guide 73 and even more are going in to the upcoming update. Guide 73 and ISO 31000 are certainly far more concise than the windy COSO ERM documents. Perhaps you could propose the Norman Mark’s Risk Management Vocabulary Guide as an exposure draft and see if you can qualify it as “generally accepted”.
It’s a bit of shame that comments on such an important topic seem to end with a disagreement on words. If the internal audit profession can’t get further than that, then I can’t help feeling that the future is bleak.