The Most Important Thing Internal Audit Can Do in 2014 - Part 4


So far (see parts one, two, and three from the previous days) we have spent a lot of time talking about the need for change. Of course the obvious question, if we all agree on that need, is how we accomplish it. Welcome to part four.
I ended part three of this series with the following question: "Do we have to be independent and objective?" That little bit of heresy gets to the real point of this entire ramble/rampage/rant/resolution/call to action. If we want to ensure internal audit moves into that new, relevant future, we must be ready, willing, and able to identify creative innovations. For internal audit to maintain its relevance – to be more than a partner in the business, to be a driver of business success (a requirement that does not conflict with any of our standards) – we have to be ready to shuck some of our preconceived notions and find the unsuspected solutions
We have to challenge our assumptions. We have to question all we do. We have to creatively identify the opportunities and approaches we need. We have to reevaluate and revalue all we have done while looking for the things that were never there before.
We have to be exploring. Is our role more than the experts on control? Is it our duty to be in charge of risk identification? How do new technologies (some not even having been invented yet) impact the way we work? How does internal audit's use of social media fit into this whole equation? What does it mean to have the cloud available to us? Is there more to life than just "consulting"? 
And the big question – are we leaders or are we followers?
I don't know the answers, I don't know the solutions, and I don't even know what the next steps might be. I just know we need them, and we need them now. That's where that whole "creativity" and "innovation" thing comes in. The idea isn't going to come from me; the idea isn't going to come from you – it is going to come from all of us working towards a new vision for internal audit. 2014 is the time when we have to work together to come up with the new solutions. 
Things are only going to happen faster. And the lethargic approach to change we have embraced in the past is not going to get us where we need to be.
And don't argue with me on this one. We do not move quickly. When was the last time your internal audit department went through a seismic change? When was the last time it did little more than tweak to make things better? When was the last time you sat back as you reviewed the previous year, looking at all your department accomplished, and said "Wow"? Seriously, when did it ever happen? (If it did, let us all know, because, as I say, we need to work together on this one.)
My challenge to you – challenge everything.
Challenge what you accept for internal audit. Challenge what others expect of the profession. Challenge the way you do things. Challenge the way you think.
Challenge everything, and then create.
Create the new department. Create the new profession. Create the new company. Create an internal audit department and profession that is more than value add, more than partner, more than a regulatory requirement. Build an internal audit department and profession without which no one can live.
As they say in Men in Black, imagine what you'll know tomorrow.
Here's the final thought – I started all this by saying that I didn't believe the beginning of the year really means anything in particular. And that is why I hasten to add that everything I've said above – all the rhetoric and exhortations and pleadings and bludgeonings, etc. – are not a representation of an abrupt change because a new year is here. Rather, this just happens to be the point in time when such exhortations are appropriate. It is just a happy happenstance that the subject comes up now.
We have been building to this for almost 75 years – all the years internal audit could be considered a profession.   Now, the time is ripe.  2014 must be the year of creativity and innovation for internal audit.
Keep in touch; let me know how it is all changing. And I'll keep in touch with you. This is the year. And I want us to all be a part of the seismic change that will happen.

Posted on Jan 17, 2014 by Mike Jacka

Share This Article:    

  1. Mike: Great post. Thank you. I believe that the Financial Stability Board ("FSB") has painted a new vision for internal audit in their November 2013 paper on Effective Risk Appetite Frameworks. This FSB paper has been directed to financial sector regulators around the world. My response to the FRC in the UK this week (the FRC is the UK equivalent to the SEC and PCAOB) calls on the FRC not to dismiss internal audit as irrelevant going forward to better risk governance but rather embrace the vision of internal audit's role that the FSB has asked financial regulators around the world to embrace. The opportunity the FSB has offered to the IA profession is huge and unprecedented. My fear is that IA profession will not be able to evolve quickly enough to meet the new FSB internal audit expectations. The IIA needs to take radical transformational steps to prepare the profession to meet these new expectations. Incremental steps are always attractive relative to transformational change but not what is necessary at this stage in the development of the profession. Thanks for calling on all internal auditors to be part of the profession's next generation of evolution and opportunities.
  1. Mike. Happy new year! An excellent and thought provoking blog. But is a seismic change really necessary? I think that depends on the methodology of each internal audit department and how close it is to the fundamental objective of internal audit. I think IA's objective is to provide an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels. I hope this includes all your requirements: the need to understand how the business operates, now and into the future; the need to be creative and innovative; the need to be active. Continued below...

  1. This is not the definitive of a passive, consulting department (why is consulting even in the IIA's definition of internal audit?); it is the definition of a department willing to nail its colours to the mast and express an opinion which may eventually find its way through to the financial reports. Whether an internal audit department has to undergo a seismic shift depends on how near it is to this objective. However, maybe the profession at the top needs an earthquake. Look at the sessions so far announced for the International Conference. Isn't it more of the same? The most likely relevant session (Adapting to the pace of change) is given by the former Communications Director to Tony Blair. I'm sure it will be a good talk, but it's not likely to shake the foundations of IIA Inc .and change also needs to come from the top. Continued below..

  1. (Sorry about the multiple comments but there'sa 2000 character limit). However, if we are to change, we must not take on responsibilities outside our competence zone. Much as we might think we could run the organization better than the existing board, it's not our job and if we try and do it we'll be back looking at stock counts and petty cash. It's not even our job to determine risks, that's management's responsibility; although IA can help. Our expertise is in examining the organization's response to its risks and providing an opinion on them.  Continued. below..

  1. How to avoid complacency? One technique I used to use (after I had left internal audit!) was to have twice yearly meetings with my deputy on the subject of 'Life, the Universe and Everything' (see 'Hitchhiker's Guide to the Galaxy' by Douglas Adams). The only agenda item was that everything was up for grabs: if we had a magic wand what would we really like to do; what would we get rid of; is the organisational structure right; are we interacting with our customer departments to their (and our) maximum benefit; are we squeezing the best effort out of our resources? This type of meeting could be with anyone relevant to IA with an open mind (IA staff, the audit committee, customers). Although informal (in the UK tea and biscuits (cookies) are essential), notes need to be made of the meeting and initiatives arising need to be persued. Keep up the good work Mike, let's rattle the bars of our cages.

  1. Tim and David,

    If you are out there, just wanted to let you know that I'm not ignoring you. You've both got some real good points, and I want to take some time to respond.  And, as David noted, 2000 character limit may be a problem.  (After all, it took me four posts to just get my thoughts down.)  So, I'll be putting up a new post in response to what you've both had to say.  With any luck, should have something by Monday.

    But, again, thanks for the responses.


  1. Mike: I would encourage you to also read my newest Conference Board Director Notes article titled "Risk Oversight: Evolving Expectations for Boards" released Jan 8 2014. A simple Google search should get you a copy. The new board risk oversight expectations present an unprecedented opportunity for audit departments willing to "re-tool" their methods to better support boards. Those IA shops that stick to traditional IA roles and continue to give subjective opinions whether they believe "internal controls" (versus the much more robust "risk treatments) are "effective" or not may soon be viewed as irrelevant to the boards they serve. Boards desperately need reliable information on management's risk appetite and tolerance to discharge their new responsibilities. Internal audit has an opportunity to be a primary support for boards.

Leave a Reply