The State of the Internal Audit Profession

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.

 

PwC has published the 2014 edition of their State of the Internal Audit Profession.

The stated theme is bland: “alignment of stakeholder expectations, and matching skills and capabilities to those expectations, helps internal audit enhance the value delivered to the organization.”
 
But there is a clear message to internal audit leaders, as well as to audit committee members and others with oversight responsibility for internal audit.
 
About half the internal audit departments around the world are failing to deliver the assurance and advisory services their stakeholders need – and know they need.
 
As I reported in January, a KPMG survey of Audit Committee members found that “Fewer than half of the 1,800 respondents are satisfied that internal audit delivers the value to the company it should (45%), and that the internal audit plan properly focuses on the ‘critical risks to the enterprise’ (49%).”
 
Now, PwC is reporting similar results:
  • “Nearly 30% of board members believe internal audit adds less than significant value”. (This is an increase from the 20% PwC reported from their 2013 survey).
  • “More than half (55%) of senior management told us that they do not believe internal audit adds significant value to their organization”.
  • “Even CAEs are critical of their function’s performance, with just 65% believing on average that their function is performing well”.
  • Only 53% of respondents believe internal audit is focusing on the “critical risks and issues the company is facing”.
I highly recommend downloading and absorbing the content of the PwC study. You might first want to read what I said about PwC’s 2013 report, as this year’s is in many ways a continuation of the same theme. In that report, PwC said:
“The overwhelming opinion of 1,700 executives participating in the 9th annual PwC State of the Internal Audit Profession Research is that internal audit needs to reach for new heights and contribute to the organization in a more meaningful way. Our research clearly indicates that internal audit must continue to evolve in its focus and significantly improve its performance—or risk losing relevance as other risk functions become more vital contributors to the organization’s risk management.”
 
I commented that:
“For the first time that I can recall, PwC has (appropriately) put part of the “blame” on audit committees: that they do not demand that internal audit perform at necessary levels and instead are, as PwC says, "settling" for what they get. As the authors say, “Audit committee members must ask more questions and reevaluate their criteria for satisfaction with the value internal audit is delivering.” The report includes a section with good questions for the audit committee to ask.
 
I like a quote from Randal Early, CAE at Cox Enterprises:
 
“’Stakeholders don’t understand that they can expect more. There’s an education of boards and audit committees needed. At the end of the day, basic blocking and tackling has to happen and run efficiently, but there is a lot more that audit can and should do to help you sleep better at night.’”
 
My concluding remarks were:
“I differ from PwC in that I don’t believe they have placed sufficient emphasis on (a) the need for an audit plan that is designed to provide assurance on the management of the more significant risks to the organization, and (b) the provision of a formal report to top management and the board on the overall condition of governance, risk management, and related internal controls. I believe they understand this, and the report includes a quote from Michelle Stillman, CAE at Hewlett-Packard. She says her audit team is ‘moving away from a historical coverage model with a heavy emphasis on validating mature controls and processes to a risk-based model that gives us the ability to consider emerging risks and processes, which may be a more valuable use of our time’.”
 
The 2014 report has some excellent content and builds on the 2013 study.
 
I believe that the state of the internal audit profession is not as good as these numbers imply!
 
I believe that many if not most of the 70% of board members who say internal audit is adding significant value do not have a sufficient understanding of the full range and depth of assurance and advisory services that internal audit should be providing. I agree with PwC and Randy Early when they say that audit committee members “do not demand that internal audit perform at necessary levels” and “there is a lot more that audit can and should do to help you sleep better at night.”
 
Assurance is what helps boards “sleep better at night.”
 
Let’s talk about assurance using an example from outside internal auditing.
 
You are considering buying a used car from a neighbor. Wisely, you take it to your mechanic and ask him to inspect the vehicle and tell you whether it is in good condition, safe, and worth buying at the named price. He takes the car for a few hours and calls you back when he is finished. He says:
 
“There are a number of dents and scratches that need to be repaired and the tires will need to be replaced soon. Otherwise, the exterior is in reasonable condition for a car of this age. Everything under the hood is in satisfactory condition, but the air conditioning and heating systems seem to be working poorly.”
 
Has he answered your questions? Has he provided the assurance you need? Has he provided the advice you wanted?
 
He has behaved like many internal auditors: he has told you what is wrong, given a “satisfactory” rating to a key risk area, and not given an overall opinion on whether the car is safe and worth the money it will cost.
 
I hate “satisfactory” ratings. What does “satisfactory” mean? Why can’t an auditor provide a professional opinion, using the full range of the English (or whatever language he writes in) to communicate whether the stakeholders should be reassured or concerned?
 
A few years ago, I said that internal auditors who don’t provide assurance on the effectiveness of risk management deserve a seat at the children’s table. I still believe that.
 
I will go further now and say that internal auditors who don’t provide the assurance that their stakeholders need (primarily the audit committee of the board, or equivalent, and executive management) so they can govern and direct the organization with confidence, do not deserve a seat at the top table.
 
When the captain of a ship tells his first officer to steer a course for Hilo and to set speed at 20 knots, he expects the people, organization, and systems of the ship to respond. Internal audit can provide assurance that they will.
 
This week, an old friend called me for advice and an opinion (knowing that I always have an opinion!) She was talking to a CAE who had told his audit committee chair that he didn’t want to provide an opinion on whether the issues he had found (access to accounts payable and a failure to report as income the spousal travel of executives) might be material to the financial statements. He said it “isn’t my job”. The CAE was terminated soon after. I told my friend that if I had been chair of the audit committee and heard that from my CAE, I would have fired him as well.
 
As internal auditors, and especially as CAEs, the board and top management have a right and we should expect them to demand that we provide a professional opinion on whether the risks that matter to the organization are managed within desired levels.
 
This CAE was concerned about accounts payable. How many organizations have failed due to failures in accounts payable? Yet the majority of internal audit departments not only continue to audit the area but invest scarce resources in data mining for duplicate payments and so on.
 
I will close with two questions:
 
1. Are you auditing areas where deficiencies will never matter to the board? They would never materially affect the success of the organization or lead to a change in enterprise strategies. If so, why?
 
2. Are there issues on the agendas of the board and/or top management that you have not considered for inclusion in your audit plan? If not, why not?
 
I welcome your comments.

 

Posted on Apr 21, 2014 by Norman Marks

Share This Article:    

  1. Norman; Really great post. It has a similar overall theme to Richard's Chambers April 7 2014 post Changing Times, Changing Priorities: Are We Passing the Test?.  Paul Sobel has been raising similar questions on his world tour this year as IIA Chairman. My question to you is whether you think it's time the IIA convened the equivalent of U.S. Senate hearings to get to the bottom of why so many internal audit departments are failing to deliver what customers need/want?   The presentation I will be delivering to internal auditors in London next month references your blog post and Richard Chamber's post with the slide heading "INTERNAL AUDIT - IT'S TIME TO SELF-ASSESS".   A more radical headline might read something like "INTERNAL AUDIT - TIME TO AUDIT THE INTERNAL AUDIT PROFESSION???"  

  1. Tim, I don't think the solution requires massive study. My view is that if internal auditors are able to maintain a dynamic audit plan that focuses on the risks that matter today, and provide the assurance that our stakeholders need to direct and manage the enterprise, the level of stakeholder satisfaction will leap to the stars.

     
    The more thought leaders can send the same message, which I believe Richard, Paul, and I are doing, the more we can influence change. 
     
    I invite you to join us.
  1. Great blog Norman. I totally agree that Internal audit as a profession (and as a resource) has to operate with a more strategic focus i.e. that which is key to the sucess of our organisations should be key to what Internal Audit aligns it delivery of services to. This would include providing assurance around the key strategic risks of the organisation that you allude to. In my thinking we should be helping our organisations to attain and continue "sustainable performance".

  1. Norman, you asked two questions. Looking back at my career. Q1: Yes - particularly overseas subsidiaries and the staff social club accounts. Although not material, problems in the small overseas subsidiaries worried the board, we should probably have pressed harder for their exclusion. They did represent good training though and assisted recruitment. The staff social club was given to junior staff as part of their training!. Q2: Yes - I think we failed to address specialist areas such as manufacturing and treasury (although we did carry out a treasury audit). In these circumstances we should have co-opted staff from specialist departments, or used external staff. One group of audits we did manage to move out, were regular audits (e.g of supplier accounts). These, and continuous audits, are the responsibility of management.

     

  1. Norman: If you want me to join you in continuing to champion traditional direct report auditing where auditors are the primary risk/risk treatment assessors and reporters, my answer is the same as it has been since the mid 80s, I won't be joining you.   To improve risk governance management needs to have primary responsibility to assess and report upwards on the state or retained risk. Internal audit should foster and promote management driven risk self-assessment and provide independent reports on the reliability of management's risk self-assessment process and the consolidated report on the state of retained risk management provides to the board. My conclusion is that traditional direct report internal auditing does not provide robust support to boards that are now expected to oversee management's risk appetite and tolerance.  IMHO, real sustained success will only come from getting CEOs and senior management to acknowledge accountability to the board to routinely assess and report upwards on the state of retained/residual risk.  That is the missing foundation building block for better global risk governance.  If Internal Audit attempts to apply the same traditional direct report spot-in-time assessment methods on a wider universe that includes an organization's top strategic objectives, my belief, from having watched the "comprehensive audit/operational audit movement" in the 80s crash and burn, is that the results and response from key customers will not be positive for the profession. 

  1.  Tim, I do not champion and do not want you to champion "traditional direct report auditing where auditors are the primary risk/risk treatment assessors and reporters". That is not what I asked at all.

    First, the term "traditional direct report auditing" is a term you have created but not explained.

    Secondly, I believe we both think that internal audit should assess and provide assurance on how management addresses uncertaintyt (risk).

    I do not want internal audit to audit and assess a point-in-time risk assessment. That means that we are second-guessing management's assessment rather than assessing whether they have the right people, processes, and systems to provide reliable risk information.

    I think that we both want internal audit to focus, with a dynamic plan, on the risks that matter - the ones that might affect the strategies and objectives of the organization. You use different language (objective-based auditing) to describe the same approach.

    Finally, what I am asking is that rather than using thge language of one (even he the one is Tim Leech), you try to adopt the language that the rest of us are using.

  1. Norman: I suspect we are not all that far apart.  With respect to the term "direct report audit" it was part of the training/body of knowledge I covered to become a CA in Canada in 1981.  The distinction comes from external audit profession and is intended to distinguish an "attestation" engagement from a "direct report" engagement.  A link to a standard learning module from one of the accounting/audit professions in Canada is below.  I learned the terminology in the late 70s from what was then the "CICA handbook". As far as I know it is generally accepted audit terminology around the world.

    http://www.cga-education.org/2009-10/PAP/modsums/au1/m01summary.htm

    The key is that in "attestation" auditing the responsible party makes the primary representation and the auditors express an independent opinion on the representation.  In "direct report" audit the auditor themselves form an opinion on the subject matte directly. The majority of the IIA curriculum and training assumes internal auditors perform "direct report" audits", not attestation audits, because management in the majority of companies does not provide a consolidated report on the state of retained risk to the board.  (i.e. the company has no serious risk self-assessment process) If there is no representation from a responsible party  an auditor cannot complete an "attestation" audit.

  1. Norman & Tim. Is this a private argument or can anybody join in? I see a risk-based audit as having two purposes: to report to the board that, in the area being audited, management have carried out sufficient procedures to properly determine the risks present and; that the controls introduced are operating to bring these risks to below the board's risk appetite. So I suppose the first part of the audit is 'attestation' and the second part is 'direct reporting'. The problem arises where the management have not carried out a proper risk assessment. Do the auditors pack their bags and issue a very short report, or do they stay and assist management to properly identify their risks? The answer to that question must come from the board.

  1. Tim, thanks for the explanation. Even though I worked in public accounting in the UK (FCA) and US (CPA), and internal auditing (global companies), I have never heard anybody but you use that term. 

    May I suggest that if I have never heard it, most of the people you speak to have not either.

    In addition, as you say, the term does not apply to internal audit.

    So why continue to use it? Would it not be better to talk about traditional controls auditing, which is what I think you are talking about?

  1. Thanks for joining in, David.

    If management doesn't understand their risks, then one option is to stop right there and communicate the deficiency (which is important) to management and the board. The other is to continue based on your own assessment of risks - a more traditional and easier approach. But, I would not take on a continuing role as the identifer and assessor of risks. 

  1. Norman: I am very surprised with your training and decades of experience you have not come across what I believe are generally accepted audit terms. I have pasted a link below to International Auditing and Assurance Standards Board ("IAASB") where they use the same "attestation" and "direct" reporting to explain different types of assurance, as well as a paragraph on that page that references "attestation engagements" and "direct engagements".  As the terms are also referenced in IAASB guidance issued for scores of countries that use them I have to assume there is at least one other person that wrote the IAASB guidance that also understands them. Perhaps he is also a Canadian and Canadians are the only nationality in the world  that use them much like "eh".

    http://www.iasplus.com/en-gb/othernews/ifac/2013/iaasb-isae-3000

    "Limiting the ISAE within the context of attestation engagements only, rather than both attestation engagements and direct engagements, but allowing its use in direct engagements. Consideration of direct engagements may be the subject of a future project"

    As I have spent a large % of my life promoting the idea that management should assess and report to boards on the state of retained risk I am afraid I will have to continue to use these terms in spite of your discomfort.  I understand why traditional internal auditors that haven't had much experience with companies that have implemented entity level risk and control self-assessment in a robust way wouldn't be very comfortable with the terminology.

     

  1.  Tim, I finished my ten year sentence in external auditing at about the time you started. In those days, an audit was an audit. Management was required to provide a letter that included assertions, but that was always required and we didn't have to talk about direct report audirs.

    That being said, we are not talking about external auditing so why even think of using terms that don't apply?

    As for retained risk, how many risk practitioners use such a term? They use the term "risk". They may say "current risk" or "residual risk", but not retained risk. Of course, I know what the term is, but when you add unnecessary verbiage it does not make messaging clearer.

    I agree that "management should assess and report to boards on the state of retained risk", although I would have them report on risk (the same thing).

    As for risk and control self-assessment, I implemented that while you were working with Bruce and was part of the CSA Center at the IIA.

    Let's use language that everybody understands and is relevant to their practice: assurance, risk, and so on.

  1. Norman;  As long as you agree with and champion the idea of and need for management to provide robust reports on the risk, the status of risk, residual risk status, areas of high retained risk, areas outside of risk appetite, or any other term you and other like along those lines, I'm a happy guy.  The IIA could make a real difference it simply stated that organizations where management does not currently provide robust entity level/consolidated reports on risk to the board hence internal audit has no choice but to report on the state or risk and control directly should be considered "high risk" regardless of how many traditional/ "direct report" audits internal audit performs.  

    By the way, the CICA used the term "direct report engagements specifically to cover situations where an auditors is retained by a client, internal or external, to do a control assessment, whether they be acting in an internal audit or external audit role. International audit standard setters regularly refer to the difference between "attestation" engagements and "direct engagements".  Perhaps its you not me that needs to adopt language that all auditors understand - just a thought.

  1. Tim, thank you for the thought. My thought is that we should use internal audit and business language, not the language of external auditors - whether international, Canadian, US, or from Timbuktu. The CICA is for external auditors.

    Standard 2120: The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

    I do not support the idea that internal audit should "report on the state or risk and control directly". Even when risk management reports to the CAE, IA should only act as facilitator and reporter of management's assessment.

  1. Norman:  I am a big believer in using simple language that is widely used - when possible.  Although control and risk self-assessment made some progress in the 90s supported by the IIA, the vast majority of training offered by the IIA today assumes that management has no serious self-assessment process in place and internal auditors will continue to the be primary risk/control analyst/reporters  Students of SOX regulatory evolution will know that the original SOX 404 proposal considered having external auditors assess the effectiveness and reliability of management's representation on the effectiveness of control to meet the requirements of 404(b) This was rejected, in part because the IIA, the AICPA and other auditor associations did not want external auditors to prepare an "attestation" report on management's representation on internal control.  In the end, SOX 404(b) as interpreted by the SEC/PCAOB calls for a "direct report" on internal control effectiveness from external audit independent of management's 404(a) direct report on control effectiveness.  This was a major missed opportunity to embed serious self-assessment in organizations. I continue to believe that  if regulators are seriously interested in better risk governance, they will mandate representations on risk status from management to boards and require internal audit provide an "attestation" report on the reliability of that report.  The FSB is calling for exactly that around the world in the financial sector.  I believe the SEC should follow the lead of FSB and call for an internal audit report on management's report to the board on risk status. (i.e. an attestation engagement)

  1. David: My apologies for not addressing your post.  By all means join the debate.  An "attestation" audit, using contemporary standards requires the auditor to first assess and form an opinion on the reliability of the process used by the responsible party making the representation.   If the conclusion of the auditor is that the process used by the responsible party making the representation is highly reliable, the amount of substantive testing to confirm reliability of the representation is reduced.  The same principle would be used in cases where management makes a representation on the state of risk and risk treatments to the board.  Internal audit would first assess and report their conclusion on the reliability of the process used by management to self-assess. This is now required by IIA IPPF 2110 but is often ignored right now.   If IA's assessment was that management's process was non-existent or low reliability, they are forced to form an opinion on the subject matter directly. This isn't possible at an entity level. Unfortunately, in many companies, management makes no representation on the state or risk and risk treatments at an entity level to the board.  Often boards receive no formal representations on the full range of risks that impact the achievement of an entity's objective. Law makers may have to pass a law that requires management provide a consolidated report on risk to boards if boards don't demand one themselves and require IA provide an opinion to them on its reliability and report their conclusions to the board.  I believe board satisfaction would increase dramatically.

  1. This reporting on risk is not necessary. Need to report on value creation. Risk management is a subset. No wonder some think no professional progress

     

     

  1. The value of internal audit is being limited by several key factors 1. the fees the major firms with the supposed skills to deliver the service charge (not sure if the PWC report will highlight that clearly) 2. the lack of full and free entry of internal audit into the executive suite where the big value, risk and opportunity lie 3. the audit committee which is still uneducated on how to best get a fully independent, informed and value add assurance on whether stuff is working 4. the inability of the IIA to effectively respond to the "red flags" as regards the profession 5. the continuation of the view that assurance can be given by an audit that limits scope - it just won't work unless the bigger picture (broader org objectives) is properly considered in order to provide real value from the internal audit effort If IA is to be effective it needs to be able to connect with and review the business at the highest level incl the Board and Exec management - after all it is the shareholders that want to be assured, not just the Board and Exec management!

Leave a Reply