When an internal audit consultant goes seriously wrong
In a recent post, I criticized Protiviti’s Brian Christensen for saying that internal audit should monitor risks. I said that was management’s job, not internal audit’s. If management is not doing that job, there’s a serious problem that internal audit should be reporting to the board. Brian replied, correctly and appropriately, that he agreed with me; internal audit should assess management’s processes for identifying and assessing risks and, if they are adequate, use them as the basis for developing the audit plan; if they are not adequate, that should be reported but internal audit still needs to do the work necessary to ensure the audit plan addresses the more significant risks to enterprise success – see also my recent post where I shared a 2003 Position Paper from (UK) IIA.
I accept and agree with Brian’s explanation.
But I cannot accept another piece of (mis)guidance from Protiviti.
Risk Awareness and Analytical Insight: Driving Audit Into the Future was written by two of the firm’s leaders in healthcare auditing.
It starts with a disturbing comment. Despite recent IIA surveys showing that an increasing number of IA functions are updating their audit plan on a more frequent basis, Protiviti says (my emphasis):
When it comes to risk awareness, the status quo for the past several years has been to conduct an annual risk assessment that established the compliance and internal audit plans for the year. In some cases, those were being performed only every two to three years. Based on a recent poll that was taken during a webinar titled Focusing on the Risk Assessment Process in a Dynamic Environment, approximately 50% of the respondents indicated that they conduct a risk assessment annually or even less frequently. Audit hours would then be focused on executing projects from the plan with little regard to changes in the environment throughout the year. Occasionally, something would surface that shifted audit’s focus from the annual plan to an event at hand that warranted attention, but this has been the exception rather than the rule. It is not acceptable or viable simply to move forward with the way things have always been done. Internal audit and compliance must retool themselves to leverage data in new ways to help prioritize their focus.
I agree with the authors’ comment. It is certainly “not acceptable or viable simply to move forward with the way things have always been done”, not if that includes basing audit engagements on what used to be a risk.
Having correctly made this point, the authors make a huge mistake.
They say:
We [internal audit] must alert the business to external conditions that are changing, whether that be in terms of regulatory matters, payer behavior, payment models, customer population or other obstacles the industry is experiencing.
If management and the board rely in internal audit to do that, instead of doing it themselves, the organization is in dire straits. I am not saying that internal audit is not competent; I am saying management is not competent!
Internal audit needs to have some serious conversations with the executives and the board if this is the case.
No.
Internal audit should be assessing whether management is doing its job. If not, then inform the board so they can act.
The rest of the Protiviti article expands on this incorrect approach.
I hope and trust nobody follows their example.
I hope and trust that Protiviti (and I rely on Brian for this) acts to stop both the message and any related internal audit services they are performing. They are better than this. The firm was a go-to co-sourcing partner when I was a CAE and I am friends with a number of their people.
That’s my rant for the day.
What do you think?
Leave a reply to Norman Marks Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Fully support your view Norman. Personally I would first approach the CEO or Chair of Audit Committee and advise him he and his team are falling short at managing the company in the specific areas before reporting to the Board. I think there needs to be a good working relationship between the CEO and the CAE. I always tried to ensure that when I was a CEO. Going straight to the Board and I usually learnt a lot and took any
necessary action.
Agreed, but my rant is that the COSO 1992 internal control framework required, as one of the five elements of internal control, that management should be doing risk assessments for every process, project etc. And yet it appears that almost every internal audit function since then failed to identify and report this omission to their audit committees. Had this been done, then audit committees (those that were not asleep) would have required management to be assessing and dealing with risks in a more meaningful manner.
True
Norman, you’re right again. Protiviti is also missing an important point here. When management and their staff determine the risks (and opportunities) which affect their objectives they are also learning about the business. The process of determining and constantly monitoring for opportunities and risks is not some bureaucratic exercise but an essential part of managing a business (your point about management competence). It’s a shame that a consultancy has missed this point.
Norman, I’d like to offer a couple of comments. I would prefer that auditors avoid the use of “adequacy” or “effectiveness” and instead opine on whether risk management processes are achieving intended outcomes or performance. Those are the only real measures of success and should be applied to internal audit processes as well. In my years of experience s an internal auditor and consulting with internal audit departments around the world, I struggle to recall objectives or performance taken into account and found resistance from clients in explaining why it was important. Protiviti is perfectly capable o defending themselves but unless they were hired to transform internal audit I think the criticism should be directed to the departments that engage them. Finally, I believe if any COSO component needs attention and assessment, I’d pick Control Environment .
Norman, I interpret the Protiviti statement differently. When they state the IA “must alert the business to external conditions that are changing,” I don’t see that as putting the risk management responsibility on IA. They are stating that, if IA is to review the risk management process, we cannot identify a weakness if we are not actively looking for gaps in risk coverage. And of course we must alert the business if we identify such gaps!
As I understand it, risk-based audit models differs from control-based audit models in that controls can be tested quite easily to determine if they are effectively designed and implemented to address a given risk. If we instead test whether risks are being effectively managed, we need to be able to identify weaknesses in the risk management process. That means we must assess risk treatment, risk evaluation, risk analysis AND risk identification.
Anyway, that’s how I view the Protiviti statement. Great discussion in this thread so far!
most of organization are going to the trap of ISO. lack of understanding of Process Approach then jump to risk base thinking requirements.
Not sure where the article says management should not be identifying changes?.
If IA is to go to the BOARD saying management is not doing it’s job, it needs some solid evidence. That is, examples of where changes are occurring which management is not aware of. How does IA know this, without knowing itself?.
If IA is aware of something, that is significant or critical to a key risk, that management is not aware of, should they really be going to the Board directly?. They would in effect bypass management and highlight it to the Board?. Not sure this approach would win many friends amongst management?.
I thought literature from consulting firms was worded in such a way as to ultimately win more work through some new way of doing something, creating doubt or confusion in the minds of the reader whether their function is operating optimally, keep their name out there as a thought leader etc. Not necessarily from the perspective of the business operating efficiently and effectively?. Hence the way the Protiviti article is worded?. And perhaps the way some then post comments on it?.
Glenn, the way I read the article is that internal audit needs to be monitoring the internal and external environment so they can tell management that ‘risks’ have changed.
My point is that thinking about and addressing what might happen is an essential part of management.
Internal audit doesn’t have to do the research themselves to see whether management is considering how things are or could change and affect the business. They simply have to ask questions about how management is monitoring what customers, competitors, suppliers, and others are doing. If management has a risk management process, they can see how often it is updated. Many only do that annually.
I don’t think it is hard to know.
The key point is that IA should assess whether management is identifying the ‘risks’ to its objectives. f not, then IA should comment on that to the CEO and then to the board. They should not assume that it is their job to do the monitoring.
Even when IA is tasked with leading ERM, they should be facilitating management’s activities rather than identifying and assessing risks themselves. That is what I did as CAE and CRO.
Management owns risk, not the CRO or CAE.
Reading literally Norman, you are correct. I would like to think the authors meant to focus on the need for internal audit to also be assessing the external environment and assessing how well management is identifying trends and threats to the organization. I see far too many internal audit leaders that rely solely on “interviews with management” to gather their list of risks for planning purposes without doing their own independent external and internal risk analysis and industry research. Going back to auditing 101, at times re-performance is the best audit methodology to assess how well the organization is doing. Audit leadership 1) cannot completely walk in the shoes of management, 2) should not solely rely on management’s comments, and 3) should not be the first to gather risk data. Audit leadership should conduct some level of risk analysis themselves as a comparison to management’s assessment and report the difference as necessary – while being sure to clarify a differential in rigor and transparency versus differential in perspective and opinion.
My Comments…
Interesting. I’m not sure we should perform a separate risk assessment and compare our results. We never have the same level of experience and insight. I prefer to ask how they do it.
Certainly, IA should get an understanding of the business, inside and out.
Your point amplifies a serious shortcoming of the entire profession. Take a look at all of the bankrupt companies over the past 20 years that had robust internal audit departments, with greater than 200 auditors on staff. The list is long. While we all agree with the separation of responsibilities you skillfully surface, it is frightening that internal audit spends too much time in this delineation space.