Deloitte on internal audit and the path forward
In a new paper, Deloitte takes the results of its latest survey of chief audit executives (CAEs) and makes recommendations for action.
The survey, which has been widely reported, indicated that in the opinion of the responding CAEs only 28% of them “believe their functions have strong impact and influence in their organizations, while 16 percent felt that Internal Audit has little to no impact and influence”.
I think the path to fixing the problem starts with acknowledging it, which Richard Chamber has done in a number of his IIA posts (which you can find here).
Deloitte has suggested 9 areas of focus.
I disagree with them.
Here are my suggestions for CAEs, audit committee members, and executives who want to help improve the quality and value of internal audit services.
- Audit what matters. Audit how risks to the achievement of enterprise objectives, what might cause them to fail and what is necessary to succeed, are managed. Richard Chamber and I have both written a book with advice on the path forward. Neither of us do it for the money; it’s our shared desire to see the profession advance. My latest book addresses this topic and more, Auditing that matters.
- Focus on helping your stakeholders succeed, rather than on performing audits and writing audit reports. Read Richard’s latest, Trusted advisors: key attributes of outstanding internal auditors. Ask what information your stakeholders need from you which could make them welcome you to their table.
- Communicate what matters, when it matters, in a way that is actionable and readily consumed. The advice on this topic from Deloitte is off the mark. I cover the point in far more detail in my book, including pointing out that IIA Standards do not require an audit report; that the best communication is face-to-face where questions can be asked and answered; and that we need to deliver our assurance, recommendations, and insights at speed. The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.
- Understand why the CAE is not getting the respect he or she should. Is it a failure of the CAE to explain effectively or of the audit committee and management to understand the potential for internal audit to help them succeed? Is it because the CAE is complacent, delivering what he is told he should and being satisfied with good performance reviews and bonuses instead of pushing the envelope to deliver the services and value he or she could and should?
- Deliver. Last but hardly least, the CAE must deliver assurance and insights that the executive team and the audit committee truly value. Again, this is what my book is all about, but if the executives and audit committee see our end product as ‘ho-hum’ and not something that might affect their decisions or strategies, then is it worth the money being spent on internal audit? Why should they give respect and, more importantly, their time to an activity that is peripheral at best to running the business?
- Be willing to change. Some CAEs, such as Chris Keller at Apple, have thrown out the traditional internal audit model because they can see a better way to add value to the organization, providing assurance that the right risks are being taken. We don’t accept people in the business doing things the same way for years because that’s the way it is always done, so why should we do that ourselves?
I welcome your comments and perspectives.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman: I agree with you that Deloitte’s has correctly identified the need for change but their prescriptions how to fix it are not on the mark. While you say Richard Chambers has acknowledged the need for change I don’t believe much real change has been happening in IIA standards and training offerings and, more importantly, the magnitude of the problem continues to be muted by “feel good” sentiments. There is an urgent need for radical change. Perhaps if the IIA offered training on objective centric risk assessment that both you and I are calling for would be a very good start.
I like your suggestion, Tim for the training on objective centric risk assessment. That will indeed be a good start. Count me in!
Tim, I think you will agree that its less about “objective risk assessment” than about understanding the risks to enterprise-level objectives. Objectives exist at all levels of the organization and IA should prioritize risks to the strategies, objectives, and plans that are critical to the success of the organization.
In other words, auditing what matters.
Dear Norman,
those reports from the BIG 4 look more or less alike, year-after-year. While we have to challenge the outcome a little for the BIG 4 make money with “fixing problems”, they point to shortcomings we cannot neglect. However, while you and many others know how good looks like, there has been so little progress since 2007, as long as I have been working as CAE in the IA profession. You know, throughout that decade I delivered a PhD and several articles seeking to advance the IA profession. It seems that I did not get far with that, either.
I can agree to all you’re saying. Like, for example, your observation “The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.” Why is that? Well, here is one aspect of it. Too many players in the IA profession do not view things the way you do. I’ve come across professionals performing the quality assessment (so allegedly experts in IA…) who put three things first: 1. documentation, 2. documentation, and 3. documentation. It is not about the substance of findings, it is not about the relevance of what is being audited, it is primarily about “cover your a**” for them, self-protection, sort of mimicing external audit practices. Puh!!! If we keep going that path as a profession, we cannot expect the most intelligent people to work in that field. Intelligence may then become an obstacle. In contrast to your perspective, speed is a danger in their view. Those internal auditors do not see at all the possibility that speed and quality of internal audit work can go hand-in-hand.
So, in my humble view, it seems, internal auditors shall become agents of change on a much larger scale but still too many fail – because we do
1. NOT SEE WHAT WE DO;
2. NOT RECOGNIZE WHAT WE SEE;
3. NOT SAY WHAT WE THINK;
4. NOT DO WHAT WE SAY.
Those are the four barriers to learning and change (ref. Scharmer, 2009). Let’s address that, please.
I miss the sense of urgency. I miss clear guidance from The IIA. If an organisation is not performing, I would look at the CEO and the leadership team and question what needs change. So, here is my question to you: if the CEO of The IIA, Richard Chambers, would kindly invite you to provide advice what to do in order to strengthen the normative power of The IIA, what would you advise him?
Look forward to hearing from you, dear Norman.
Best wishes
Rainer
Thank you for the reply, Rainer. I know that Richard has seen this post because he has ‘tweeted’ it.
Richard is a force for change, but he is neither a dictator (he has a board and volunteers run the Standards Board) nor can he readily change mindsets and the practices of practitioners around the world.
Maybe he will see your comment and engage a task force to tackle the issue. I think the new Principles are a positive step forward, but as you say more needs to be done.
Rainer, you don’t think there’s been much progress since 2007? There’s not been much more since 1977, I was there!
Rainer,
I couldn’t agree more with your comment. Especially the “Documention. Documention. Documention” part.
Many auditors out there believe that auditing =documentation; not realising that documentation by itself cannot be a final objective as it is not a value add activity in its core.
This of course attracts more people to profession who don’t posses real auditing skills or vision, but rather they’re more into secretarial and administrative duties. They are usually loved by their managers because they “deliver” disregarding the added value of what is being delivered.
Final result? A less apreciated profession at all aspects & levels.
Please see this song, which should be the anthem of internal auditors: https://www.youtube.com/watch?v=QUQsqBqxoR4
:-)) Happy to contribute when jointly seeking to make better (…)
Norman; I think we agree on many things but I’m not sure you share my central conviction that better governance requires management take full responsibility for risk management, including providing reliable reports on the status of risk related to top value creation and preservation objectives to the board. The role of IA should be to enable and facilitate management taking on that responsibility and providing reliable reports on management’s risk assessment and risk status reporting processes and management’s reports to senior management and the board on the current state of residual/retained risk. The IIA has never really accepted that it should be IA’s job to convince their organizations that management needs to own risk management, including providing reports on the state of risk. As long as IA believes they should function as the primary risk assessor/reporter major governance crisis will continue. Many management groups are happy to allow IA to continue to create the illusion of good risk governance by doing 20/40/100 audits of specific topics/units/processes a year and providing subjective opinions on internal control “effectiveness”. This is what needs to change and the IIA needs to take a much more aggressive position promoting the need for management driven risk assessment and reporting. “Risk based” IA will never be a substitute for an effective management risk assessment and reporting process that is quality assured by IA.
Tim, let’s take this one pint at a time.
You say “better governance requires management take full responsibility for risk management, including providing reliable reports on the status of risk related to top value creation and preservation objectives to the board.”
I agree with that, have said it for decades, and IIA Standards say it too.
You the say “The role of IA should be to enable and facilitate management taking on that responsibility and providing reliable reports on management’s risk assessment and risk status reporting processes and management’s reports to senior management and the board on the current state of residual/retained risk.”
I agree, as does IIA, that the role of internal audit is to assess how management manages risk.
You then say “The IIA has never really accepted that it should be IA’s job to convince their organizations that management needs to own risk management, including providing reports on the state of risk.”
That is incorrect.
You go on to say “As long as IA believes they should function as the primary risk assessor/reporter major governance crisis will continue.”
No internal audit team that I know of believes it is their job to identify, assess, and then to respond to risk. IIA guidance is very clear that is management’s responsibility.
Finally, you say “Many management groups are happy to allow IA to continue to create the illusion of good risk governance by doing 20/40/100 audits of specific topics/units/processes a year and providing subjective opinions on internal control “effectiveness”. ”
I advocate, as do other thought leaders including Richard (I believe), that internal audit needs to provide assurance on the controls relied on to address the more significant risks to enterprise objectives. The trouble is that audit reports too often say a control weakness represents a high risk without saying “to what”.
“Risk-based” internal auditing is the right path as long as we are talking about the more significant risks to enterprise objectives.
It is absolutely unnecessary to require management to provide a formal statement on risk and related controls for IA to audit against. It can be assumed that the controls in place, including those in the risk management process, are what management intends to be in place and that they believe they are adequate.
Norman: I don’t agree with your assessment that “The IIA has never really accepted that it should be IA’s job to convince their organizations that management needs to own risk management, including providing reports on the state of risk.” is “incorrect”. I also absolutely disagree with your conclusion that “It is absolutely unnecessary to require management to provide a formal statement on risk and related controls for IA to audit against. It can be assumed that the controls in place, including those in the risk management process, are what management intends to be in place and that they believe they are adequate.”
I believe organizations in which management self-assesses and reports on the status of retained risk linked to key value creation and preservation objectives and Internal Audit quality assures and reports on the process management uses and the report to the board will be better governed and have superior risk governance relative to organizations where management does not formally assess and report on the status of risk linked to top value creation and preservation objectives. I sense you have never worked in an organization with a robust risk self-assessment and reporting process owned by management. If this is true, I’m not sure you are qualified to offer a strong opinion on which approach produces a better governed organization until you have first hand experience. I have spent the last 30 years of my life helping organizations where management and board decided management self-assessment of risks to top objectives will outperform informal approaches to risk management. I have also worked with scores of companies where management makes no formal representation to the board on the true state of risk. Having seen both I have no doubt that a self-assessing and reporting company will be better governed and have a healthy risk culture than one where management is not required to report on the true status of risk.
Tim, you sense wrong. At Solectron we had a robust self-assessment process that covered many critical sources of risk.
I do agree that where management has a robust ERM (but there are very few of these), internal audit’s job is much easier and management is likely to be more effective.
By the way, risk management is far more than risk reporting.
Are you familiar with the IIA position paper on the role of internal audit in risk management?
Norman, Tim. Taking a simplistic view, the purpose of internal audit is to check that controls are complete and working. In order to ensure controls are complete IA need to check that those risks the controls should be managing have been identified by management. Since risks derive from the organisation’s objectives, IA also needs to ensure that these objectives are clearly stated. Thus before the process which plans the audits (standard 2010), and as part of each internal audit, IA needs to ensure that the appropriate management have clearly stated their objectives, identified the risks threatening the achievement of those objectives and put in place the controls necessary to manage those risks down to a level acceptable to management. This is not ‘new’ internal auditing, it should always have happened, otherwise IA cannot prove that the controls being checked are complete. Although I recognise that it is only now we are seeing the need to do this assessment.
The requirement to check management’s competence in identifying the controls necessary is wider than the position paper, which implies a more limited assessment of the ERM process, as might be carried out periodically, not as part of the audit planning process, or individual audits.
In the 2016 proposed changes to the standards, the interpretation to the planning standard stated, ‘To develop the risk-based plan, the chief audit executive first considers the risk management framework and consults with senior management and the board and then draws conclusions reached from internal audit’s risk assessment.’ I (and presumably others) objected to this interpretation since it implied that IA would carry out a risk assessment, which is clearly management’s role (as stated in IIA’s own position paper). This has been changed in the final standards but in 2010.A1 – ‘The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process’. There is no clear requirement that the ‘documented risk assessment’ must be management’s and, if this risk assessment is judged to be inadequate for the basis of the plan, the board must be informed. I believe the standards are vague and, on this basis, I agree with Tim.
Norman – you provide some very interesting points in this post. One that hasn’t been commented on is #4 – delving deep into WHY the CAE not getting the respect s/he should. I have witnessed CAEs going before the audit committee and being happy with a few surface questions on their activity summary presentation and the detailed audit reports provided. Based on my experiences, this can happen for two reasons: 1) the audit committee doesn’t know enough about auditing to truly challenge why and how this CAE is doing what IA is doing and/or 2) the CAE is satisfied that the audit committee isn’t expecting more from IA or expect them to change.
Is this your experience, Norman?
Rainer, We think your response is right on. We have been a strong proponent of the IIA Maturity Model and have developed a number of educational offerings for them. Level 5 espouses the change agent mentality and you have called out this mission-critical success factor for our profession. Good going!
Phil Wilson,
The GRC Sphere
http://www.GRCsphere.org
Norman: I, far more than most, believe that effective risk management is far more than risk reporting. I stress the need for risk management skills training far more than most internal auditors and outside consulting firms and put great emphasis on it in my engagements. Our approach at Risk Oversight Solutions is fundamentally about capability transfer to management, IA and risk specialist groups. The old adage, give a person a fish and they have a meal, teach a person to fish and they have food for lifetime holds true in risk management. Unfortunately, few IA functions I have seen include much if any training capability as part of their service offering nor do many risk management groups. This is unfortunate. Glad to hear you were involved in a company that had a robust self-assessment framework, even if it was only one. Unfortunately, few IA functions and the IIA itself does not stress the importance of a robust risk self-assessment framework as a key component of a healthy risk culture. This is also unfortunate. Regulators need to recognize that, if they want management to have a robust and effective risk management framework they need training. People are not born knowing how to do effective objective centric risk asssessments, including internal auditors. Training must help lay a sound foundation.
Norman; On your point of the IIA position paper, I not only have read it but reference it in my training. What the IIA paper doesn’t say is that IA should quit doing formal risk assessment for management and concentrate on ensuring the board knows all instances where an objective is critical to the success of the organization but management has decided no formal risk assessment is warranted. If the objective is important enough to warrant an expensive internal audit why wasn’t it/isn’t it important enough for the management responsible to self-assess and report upwards? IA needs to do far more to encourage management to implement effective objective centric risk self-assessment? Unfortunately, the majority of IA shop seem content to continue to be the primary formal risk assessors/reporters. As long as IA continues to retard the growth of management risk self-assessment I will continue to believe IA represents a significant risk to better risk governance globally.
Tim? The position paper makes very clear that internal audit may facilitate but may not perform the risk assessment themselves.
Your assertion that internal audit is the primary risk assessor is either fallacious or means that the people you are talking to are in violation of IIA guidance.
In fact, most internal audit functions assess the quality of controls relied upon to address risk and identify deficiencies in their design or operation. That does not make them risk assessors.
You believe in self-assessment. I do not believe that to be necessary apart from management’s responsibility to identify, assess, and respond to risk. That includes reporting on such to the board.
Norman,
Think your points are good ones, but I think Audit, as always, continues to be caught in a, “where do we fit in” syndrome.
I am in Compliance and right now with the 3 Lines of Defense, Audit, Compliance, Enterprise Risk Management, Board Risk Commitee structures, SOX, Control groups at the business level, etc…it can feel confusing for all involved.
Audit is connected to Board level reporting and I feel needs to flex its muscles in re-stating its role and importance – demand a spot at the table, don’t just ask for one.
@ Norman @ Tim @ The IIA – If two so smart and highly experienced professionals and internal audit / corp gov thought leaders like you both cannot agree on some fundamentals, I get an idea why the internal audit profession is where it is. We all need to watch out: EGO is the ENEMY.
The IIA says this about position papers, ‘While Position Papers are no longer an official part of the New IPPF, these documents are still relevant and valid for practitioners and other interested parties’. However, the standards are not much help. As I have written above, the planning standard is vague and 2010.A1 could be interpreted as IA being permitted to plan using its own ‘documented risk assessment’. Standard 2120 on risk management is very relevant but comes after the planning standard. So the audits are planned first and then IA checks whether the risk assessment on which the plan is based is adequate! There doesn’t seem to be an explicit requirement in the standards for IA to report to the board if management’s risk assessment is not suitable as the basis of an audit plan.
The standards need revising to state:
Before the planning process commences, IA should verify that management’s processes should follow that specified in the interpretation to 2120.
The internal audit plan should be based on management’s assessment of risk. If that assessment is inadequate, this should be reported to the board who should then instruct IA as to the action necessary.
David, I may be wrong but I believe guidance prefers that we base the audit risk assessment on the organization’s risk assessment if the latter is viable. However, we remain responsible for the basis for the audit plan.
Norman, I don’t understand what you mean by, ‘the audit risk assessment’. How does this differ from the organisation’s risk assessment?
I agree that IA remains responsible for the basis for the audit plan.
I mean the risk assessment relied on by IA. For reasons too long to explain here, IA should consider modifying management’s assessment to reflect factors like their confidence in management, the history of control deficiencies, the time since audit, whether there have been system or process changes, and so on. In other words, their assessment of whether there is a high level of risk that controls won’t perform to management’s expectations. In addition, internal audit needs to break down each area of risk into risk sources appropriate for individual audit engagements. I discuss this in my book, of course.
Thanks Norman.
Norman: Re: “Your assertion that internal audit is the primary risk assessor is either fallacious or means that the people you are talking to are in violation of IIA guidance.”
You have said in prior posts IA should always ask if management has done a self-assessment of the topic/area/objective being audited. I believe in a large percentage of organizations around the world the answer is still “NO”, or at best, it was covered in semi-annual low rigor risk centric workshop where participants were asked “What do you see as the risks to ………..? IA then completes their version of a risk assessment since management hasn’t done one. If the answer from management is “YES”, I believe the role of IA should be to quality assure the risk assessment done by management and report on its reliability. I have seen very little evidence in my tracking of global developments and work around the globe that IA functions have made the shift from doing the primary DOCUMENTED risk assessments themselves to quality assuring DOCUMENTED risk assessments done by management. Good managers/CEOs/Boards are continually thinking about risks and ways to deal with risks to what they want to accomplish. That is a given. How many management teams bring structured rigor to the risk assessment process and cover all the top value creation/preservation objectives is a much bigger question. The FSB Principles of Effective Risk Appetite calls on management to play a much bigger role formally assessing and reporting upwards on the state of risk. FSB wants boards to oversee the process. FSB wants IA to refocus and put heavy emphasis on reporting on how well the other players are discharging the roles the FSB thinks they should play. That would be real progress. My take is the IIA hasn’t given much support to the FSB risk governance vision/interpretation of what constitutes “effective”.
David: Re “Taking a simplistic view, the purpose of internal audit is to check that controls are complete and working: I don’t agree. I think the purpose of IA should be to ensure senior management and the board are aware of the true state of retained/residual risk status linked to top/important objectives and report on how well management is doing managing and reporting on risk status. Checking “controls” on a small percentage of important value creation/preservation objectives each year will make a small contribution but can easily produce incorrect assessments since the full range of “risk treatments” aren’t being considered and only a small percentage of the full risk universe is being assessed.
Rainer: I believe that until the IIA accepts and internalizes that the real purpose of IA should be to ensure senior management and the board are aware of the true state of residual/retained risk linked to top objectives; and IA shops need to stop assessing and reporting subjective opinions on internal control “effectiveness” on a small percentage of important objectives and claiming that produces high assurance major problems will remain with the status quo IA paradigm.
Tim, you are welcome to your personal opinions, but not your facts about the IIA and whether IA is taking the place of ERM.
I won’t comment further.
Tim, you state, ‘ I think the purpose of IA should be to ensure senior management and the board are aware of the true state of retained/residual risk status linked to top/important objectives and report on how well management is doing managing and reporting on risk status’. I agree and have written above that IA needs to do this before beginning the planning process.
However, how can IA report on, ‘how well management is doing managing risk status’ without actually checking that the controls in place are actually working? I’m sure most internal auditors know that what management tell them, and what management may actually believe, can be far from the situation actually on the ground. Let’s take the recent example of the UK NHS system (and others) being compromised by ‘ransomware’. IA can check that management have identified the risks, and required controls, and may be told that everything is in order, but unless an IT auditor actually checks that software is up-to-date, back-ups being done and recovery procedures rehearsed, management’s assurances can be worthless. Obviously the ’full range of risk treatments’ are not being considered but detailed checking of controls can give an indication of management’s ability to actually deliver what they are telling the board.
Norman: It would appear that you don’t just disagree with me but the Financial Stability Board and the UK Governance Code as well. I don’t want the IA to “take the place of ERM”. I want IA to promote reliable management reporting on the state of risk to boards. How that is accomplished should be the focus of IA/ERM/C-Suites and Boards.
If you don’t think IA should be fundamentally about ensuring boards are aware of the true state of risk linked to the organization’s top value creation and preservation objectives, I think all your readers would benefit from hearing your basis for that conclusion. You have a large following globally and done a great job raising the banner on many important issues.
Tim, please stop telling me what I believe. You are wrong 98% of the time when you say that.
I do not disagree with the FSB guidance. I disagree with you!
I don’t think internal audit should limit itself to promoting risk reporting. They should promote the effective management of risk.
Norman; You are right. I can’t assess what you believe only react to what you write. I certainly don’t think IA should limit itself to risk reporting. Quite the opposite. I think IA should do what it thinks necessary to ensure boards receive reliable information on the true state of risk. That can include risk assessment training, investigating, facilitating workshops, quality assuring management’s risk assessments and doing risk assessments themselves if management refuses to be primary risk risk assessments. I think the main point of disagreement is that I “believe” management should assess and positively report on the state of risk to the board on a regular basis. IA should provide assurance to the board on the reliability of those reports. . I’ m not sure what you “believe” on that issue but this quote from you above would appear to be what you believe “It is absolutely unnecessary to require management to provide a formal statement on risk and related controls for IA to audit against. It can be assumed that the controls in place, including those in the risk management process, are what management intends to be in place and that they believe they are adequate.”
I think on that point we will have to disagree.
Tim, I don’t know how you conclude what you conclude.
Of course I believe that management should report on risk to the board, but risk management is far more than that. It extends to the taking of risk every day through informed and intelligent decision making. Internal audit should assess and report on the management of risk, not just the reports provided to the board.
I can tell you this.
For any organization, reports that purport to express the current level of risk are always incomplete, subject to judgment and bias, and out of date because of the dynamic nature of risk.
I prefer that IA assess management’s continuing processes rather than a point in time report.
Please limit you comments to your opinions and not infer mine.
David; I have been trying to encourage IA to focus on the full range of “risk treatments” not just what has historically been called “internal controls”. When management makes a representation whether risk treatments are in place and how well they are functioning I absolutely believe IA should quality assure managements assessment of risks and the reliability of their description of the risk treatments in place and the current state of “residual risk status” including current performance on the objective being assessed. When management misstates their description of risk treatments there is generally only two main reasons – they consciously lied which is really serious or, alternatively, they thought the risk treatments were in place and producing a satisfactory level or residual risk but are mistaken. In both cases IA needs to provide feedback to the board on those conditions if they exist. If management reliably assesses and reports on risks and risk treatments IA needs to provide a very positive report on management’s assessment even when the status management has disclosed indicates very high levels of retained risk outside of their risk appetite and the board’s risk appetite.
Tim, I agree with your sentiments. Management are responsible for identifying risks, defining and assessing appropriate control strategies and putting monitoring and performance management processes in place. Management should therefore already have an informed opinion on the adequacy and effectiveness of their controls. The role of internal audit is to confirm or challenge this opinion thereby providing assurance in respect of the effectiveness of the risk management process.
Management should have to earn the right to be audited – they first need to get themselves to the point where they have an informed opinion on their control environment, then an audit opinion will really add value. Too frequently, audits are performed in areas where risk management is immature or non-existent – the cart before the horse.
the IIA is to GRC, what PMI is to project management. Both have hurt the practice they supposedly support. They are self-serving… creating all kinds of terms and low-value mechanisms / processes. They create a degenerative group-think. Sadly there is no competition for them, and they make $$$$ by getting the ill-informed to believe that their flawed, over-engineered processes are actually “best practice”