Chief Audit Executives Beware: We Are Entering One of Those Eras Again!
Richard Chambers, CIA, shares his personal reflections and insights on the internal audit profession.
What are the most common reasons that CAEs fail? They can miss key risks in their annual risk assessments. They can deliver audit reports that lack impact or fail to demonstrate value. They can even fail by surrounding themselves with the wrong talent. However, from my experience, the most common strategic mistake that CAEs make is failing to maintain ongoing alignment with the needs and expectations of their key stakeholders (typically the audit committee, chief executive officer (CEO), and chief financial officer (CFO) in the corporate sector). Once a gap emerges, it is only a matter of time before the audit committee and senior management collaborate to change CAEs.
Isn’t it obvious when a gap is emerging? It certainly should be for the CAE. However, all too often they are clueless until it is too late. The first time I witnessed this phenomenon was almost 20 years ago. I completed an external quality assessment for a small internal audit function near Seattle. In those days, quality assessments were more of a checklist of performance against the International Standards for the Professional Practice of Internal Auditing (Standards). I concluded the review with the observation that it was “one of the best departments I had ever seen.” Within six months, the CAE was gone and the department eliminated. I went back and asked the CEO what happened. It was simple, he said: “They weren’t demonstrating any value. I had to implement significant budget reductions, and they were one of the few targets that everyone agreed should be eliminated.” While I did not agree with the decision, it was one of the most important lessons I’ve ever learned — the value proposition is critical to internal auditing’s success.
If you are strongly aligned, why do you need to worry? The answer is simple. Stakeholder expectations for internal auditing can shift swiftly and dramatically. That was never more evident than in 2002. In the years leading up to the U.S. Sarbanes-Oxley Act of 2002, many corporate internal audit departments were focusing on operational risks and IT risks. Many of them were even becoming corporate “business partners” and donning consulting hats. With the swift stroke of the President’s pen, Sarbanes-Oxley became law, and corporate internal audit functions across the United States became a key source of insight on the effectiveness of financial controls. In short, the expectations of internal auditing’s stakeholders turned on a dime. In the months and years that followed, many CAEs who were not willing or able to pitch in and help with Sarbanes-Oxley compliance found themselves irrelevant or worse.
Are there circumstances that are likely to prompt swift changes in stakeholder expectations? In my experience, the factors that seem to accompany such changes are (1) the enterprise is experiencing swift expansion, (2) the enterprise is under significant revenue or cost pressures, or (3) new external risks have emerged for the enterprise. In each instance, internal audit stakeholders are likely to seek a new or different focus/value from internal auditing. Most successful CAEs are agile or flexible enough to adapt. The really successful CAEs are one step ahead and can anticipate expectations shifts before they occur. Unfortunately, many fail to recognize that expectations have moved on and become seriously misaligned. Of course, there is also the situation where old stakeholders depart and new ones take over, but that is the subject for another article.
What are the lessons that can be applied in 2009? At least two of the factors above are present for many companies in the current economic environment. Revenue and cost pressures abound. In addition, new external risks include brutal market forces, an unprecedented crisis in the capital markets, and a likely avalanche of new regulations and legislation that will emanate from Washington. If you are still banging away on financial controls, channeling a vast portion of your resources into Sarbanes-Oxley testing, or crafting audit plans loaded with cyclical audits of low-risk operating units, you may want to revisit priorities with key stakeholders. In many instances, they are desperately looking for assurance that cost and operating risks are being addressed. Many boards also are trying to figure out how they can gain objective assurance on the overall effectiveness of risk management. These are all areas where internal auditing can play a role. Be proactive, and have a dialogue on what their needs and expectations for internal auditing really are.
10 signs that potential trouble may be brewing for the CAE:
- You are executing an annual audit plan developed from a risk assessment conducted six months ago, and no new audits have been added in the past two months.
- You increasingly find yourself arguing with stakeholders about why internal auditing should not be addressing specific new or emerging risks.
- The audit committee is surfacing more new risks to you than you are to it.
- Audit committee members are citing best practices they have observed in other companies with increasing frequency.
- Your CEO, CFO, or audit committee chair are citing internal audit thought leadership that you have not heard about.
- You are getting a lot of pressure from your stakeholders to undergo an external quality assessment. An external quality assessment is a great idea and mandated by the Standards— but it should be your idea and not theirs.
- Your budget/staffing is being reduced, and you are not even being asked about the impact.
- You find yourself on the audit committee agenda with less and less frequency.
- You are getting fewer and fewer phone calls and e-mails from key stakeholders.
- You discover that one of your peers in the CFO organization has just joined The IIA.
Posted on Feb 10, 2009 by Richard Chambers
Share This Article: