Home > Risk > The Evolution of Internal Audit

The Evolution of Internal Audit

Now is an opportunity for internal audit leaders to pause, reflect, and consider whether it is time to leave past practices – even if they have proven remarkably successful – for a different approach to internal auditing.

As I said to the author of Reassessing Risk: What Matters Most Now?:

“Never has business changed so much, so fast”

“As the business is probably going to be run differently, so shouldn’t we run internal audit differently?”

“Doing a traditional audit that takes weeks, if not longer, is not necessarily going to help business leaders run the business today”

Another article that appeared this month in Internal Audit 360o was The Value Challenge in the Evolution of Internal Auditing. The Italian authors, a CAE and a manager in a consulting firm, said:

The recent macroeconomic developments emphasize a change that is already taking place: remaining anchored to the most traditional and archaic conception of the internal audit mandate exposes the profession to the highly probable and impactful risk of losing relevance, progressively emptying not only its perceived value but the real content of the profession as well.

We live in an era of epochal changes which demand an evolution of the internal audit profession. Paraphrasing Darwin: if we as auditors will be more reactive to change and will change proactively, we will not only survive, but also consolidate a competitive advantage. The alternative would lead the function to an inexorable, progressive decline.

I am pleased to see a growing number of internal audit departments moving from a static annual (or worse) audit plan to one that is dynamic and based on a continuous understanding of how the business and its environment is changing. (Some call that risk assessment, but it’s really more than that.)

Certainly, continuous monitoring of the business that dynamically updates the audit plan, so that internal audit is addressing what matters now and soon to the leaders of the organization, is important.

But there is more to being agile, a term mentioned in the second piece.

Think about the navy.

Do its commanders send in a fleet every time there is an issue?

No.

They recognize the need for agile, fast, and mobile forces that are capable of acting quickly to achieve their mission, in addition to the more traditional use of overpowering force.

Internal audit needs similar capabilities.

There are times when a fleet of auditors needs to be sent to attack an issue.

But, that fleet takes time. It requires time to plan, mobilize, and then execute. It may also require time to consolidate, consider, evaluate, and report its findings.

Can the organization wait? Don’t they need information on significant ‘risks’ now rather than later?

The modern internal audit team needs to be as agile as its audit planning. It needs the ability to send in a one or two person commando team that will get in and out rapidly, with the information needed by leaders of the organization.

Audit at the speed of risk and the business, providing management and the board with the assurance, insight, and advice they need, when they need it (i.e., not waiting weeks for a formal report), in a readily actionable form.

In my internal audit departments, the typical audit was one or possibly two people for a week or two – total, not just fieldwork. They focused on the few risks at any location or in any business process that had the potential to be significant if poorly controlled.

If you spy an enemy risk on the horizon, you need to evaluate and respond at top speed, not waiting until the fleet has arrived.

How agile is your internal audit team? Do you have speedboats or only battleships?

Is your average audit 200 hours or more? If so, are you auditing areas where, even if there were problems, they wouldn’t rise to the level that requires CEO or board action? Why? Are you taking too long to provide management and the board with essential assurance, advice, and insight?

Audit with focus and be agile about it.

I welcome your thoughts.

  1. June 14, 2020 at 12:40 PM

    Norman, I can understand why you don’t like static annual plans, but I believe there is a place for the annual plan, for two principal reasons:

    1- Many Audit Committees/boards have to confirm they have assessed risks. For example the UK Corporate Governance code requires,’The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the
    annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.’ If I was an Audit Committee member, I would want to know the work that was to be carried out to allow me to make this statement. Which brings me to the second reason:

    2 – I would want assurance from the CAE that they had adequate resources to carry out the work, including covering emerging risks. If resources were strained at any time, by these emerging risks, at least I would be able to agree what was dropped. To understand the resources required, the CAE needs an annual plan to set an annual budget.

    You say of the navy, ‘They recognize the need for agile, fast, and mobile forces that are capable of acting quickly to achieve their mission, in addition to the more traditional use of overpowering force.’ That implies that IA also needs to keep its traditional use of overpowering force. In practice, I agree that IA does need to be agile and concentrate on processes which, if they fail, would result in material losses. This includes the need to occasionally delve into the detail and that can take time. After all, a good commander not only has vision but an understanding of detail.

    • Norman Marks
      June 14, 2020 at 1:03 PM

      David, I don’t think you have disagreed with anything i wrote.

      I think you have read my books and know you have read my blogs, so you also know that I provided the board with an annual plan – but told them that it would be updated continuously as the business and its environment changed. They wholeheartedly supported that.

      We certainly need to assess how management addresses “risk”. I have said that if IA does not do that, the CAE “deserves a seat at the children’s’ table”.

      I also agree that the CAE needs to affirm or otherwise that he or she has sufficient resources to address the more significant issues. I provided a list that showed not only what I planned to address, but also which engagements fell below the resource line.

      The main point is that IA needs to provide the information needed to run the business when it is needed to run the business. They can’t afford to dilly dally and miss the van!

      • Michael Corcoran
        June 14, 2020 at 6:36 PM

        Norman, I have no clue what you are talking about or suggesting. This is crazy. IA doesn’t provide the information to run the business? Get a grip, man.

        You said.
        “The main point is that IA needs to provide the information needed to run the business when it is needed to run the business. They can’t afford to dilly dally and miss the van!“

        • Norman Marks
          June 14, 2020 at 7:06 PM

          Internal audit provided assurance, advice, and insight. That is what I am talking about. If audit engagements are focused on what matters, they are able to provide essential information. Sorry if that was not clear

        • Norman Marks
          June 14, 2020 at 7:09 PM

          Internal audit provided assurance, advice, and insight. If audit engagements are focused on what matters, they are able to provide essential information.

          That is what I am talking about.

          Sorry if that was not clear

          • Anonymous
            June 14, 2020 at 7:15 PM

            We all make mistakes. Mike

      • June 15, 2020 at 5:38 AM

        Agreed Norman, except that you probably needed to say ‘some of the information needed to run the business’.

  2. Barry Franck
    June 15, 2020 at 1:29 AM

    Good analogy Norman ! We also need to realise that technology is better. We don’t need dreadnoughts anymore… our speedboats have great firepower.

    • June 15, 2020 at 11:58 PM

      This is the area most important to explore in improving the audit profession.👍

  3. VSRM KASYAPA
    June 15, 2020 at 6:25 AM

    In government departments, internal audit is done by its own employees. Fearless audit may add glory to audit, but always at the cost of career prospects. Any good change may ideally start in the government.

  4. Chinwe
    June 15, 2020 at 10:39 PM

    I understand about spending more time in an audit may not produce timely report to management. But management may want the auditor’s attention to be even in the smallest activity with the least impact, thereby spending a lot of time.

    • Norman Marks
      June 16, 2020 at 6:15 AM

      But management should not be in charge of the audit plan!

  5. June 15, 2020 at 11:55 PM

    The auditing profession has been so archaic and boring. It’s needs to evolve at the same pace as technology is advancing. Internal audit is key to the progress and safety of an organization from all forms of deviation if not completely to a great extend.

  6. June 16, 2020 at 2:09 AM

    One method of shortening audits is to get mangers to do more monitoring. When I was responsible for accounts departments (payroll, accounts payable, accounts receivable), I identified about 6 ‘key controls’ in each department (reconciliations, exception reports, aged trial balance). Managers had to conform each month that that had ensured these checks took place, plus I examined some every month. If internal audit worked with managers to identify these checks, they would then only have to confirm they were in operation, thus shortening the audit time. In addition, the manager is able to have more confidence in their systems.

    • Matthew Waller
      June 16, 2020 at 2:41 PM

      Surely the answer is to have all of the above, we have an annual plan to reflect resources, the plan is dynamic and updated throughout the year, we have contingency time to react quickly when we need to, we cover fundamental systems and more traditional audits. We also have longer term consultancy to support our organisations transformation plans and major IT system developments. I don’t think you are covering any new ground here unless we are ahead of the curve. IA needs to sit at the heart of the organisation being reactive helps as does plenty of engagement, liaison and effective assurance mapping. Although we need to look at this as currently we run one organisation wide assurance mapping process a year. It would be interesting to hear how IA will adapt this process and how we keep up to date with the changing risks and COVID impacts.

  7. Robert Ng'uni
    June 16, 2020 at 11:57 PM

    This is very insightful write up!

  8. joemick15
    June 18, 2020 at 1:47 PM

    Norman,
    Astute and insightful analysis as always. Thanks for participating in the first article and for highlighting both here. It’s a strange and tough time for managers and executives in all facets of the business.

    I think all the stuff you and others like Richard Chambers been preaching about being more agile and building the organization to be able to adapt to the current situation faster and make good and informed decisions on the fly, is coming home to roost. Those who have heading those pleadings by smart observers and advisers have a big leg up on those who haven’t worked to embrace change management and agile ideas. I saw a good quote today that I’ll leave with here: “If you hate change, you’re really going to hate irrelevance.” Joe McCafferty, editor of http://www.internalaudit360.com

  1. June 14, 2020 at 8:47 AM
  2. June 14, 2020 at 10:01 AM
  3. June 17, 2020 at 5:56 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: