Chief Audit Executives Have Never Been Stronger!

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

Let’s cut to the chase! The past decade has seen a rise in stature of the internal audit profession that is unparalleled in its history. Leading the way have been the men and women who led internal audit functions in enterprises around the world. In the past few years, I have had the privilege of getting to know many of them and the departments they lead. I am confident when I say that the overall caliber of chief audit executives (CAEs) in 2011 has never been stronger! 

I have been in the internal audit profession long enough to remember when there was still a grain of truth in the stereotype that accountants and auditors, by nature, were bean counters who hovered over 16-column spreadsheets. Today’s internal auditors, however, must know much more than how to count beans. They must understand “how the beans are grown, harvested, and even marketed.” No one in the internal audit function has to be more keenly adept at these tasks than the CAE. 

In the past decade, boards and senior management have come to recognize the pivotal role a CAE can play in helping the organization enhance internal controls, risk management, and corporate governance. In fact, many organizations today cast a broad search when seeking to fill the CAE role rather than routinely promoting the next in line from the audit department. That is a sign to me of the importance that is being placed on acquiring the right talent for the next CAE.

It’s also the CAE who, in most cases, is joined by nobody else but a CEO in a corporate structure in having his or her performance directly reviewed by, and being directly accountable to, members of a board of directors. That alone, beyond all the other executive developmental pressures of a CAE’s job, has ensured — and will continue to ensure — the elevation of the caliber of the CAE.

During my tenure with PricewaterhouseCoopers, I had the opportunity to work with CAEs in more than 75 Fortune 500 internal audit functions in the United States, plus scores of others around the world. From my experience, modern CAEs are agents of change who not only understand the business of their enterprise, but also are capable of building and sustaining relationships and developing the key internal audit talent supporting them. 

Are there opportunities to enhance the caliber of CAEs beyond where they are today? Absolutely. But, the same also can be said of CEOs, chief financial officers, and the rest of the corporate C-suite. I seriously doubt that more CAEs have been involuntarily replaced than CEOs.

I have shared these thoughts on modern CAEs not simply to serve as their “cheerleader.” Instead, I want to put my thoughts on record so that they can be weighed in various discussions currently going on about this important topic.

I welcome your views on the relative strengths of the leaders of our profession.

Posted on Oct 27, 2011 by Richard Chambers

Share This Article:    

  Comments (11) un-categorized
  1. Comment by: Harish Kumar   (10/27/11 10:56 PM)   

     Internal Audit as a profession is something we are all very proud. The challenge that lies ahead for internal audit is plenty. Just to name the few, internal auditors today must recognize what is going on around us viz., people displeasure with the way system itself in meeting the expectation. Occupy wall street protestors in New York, european debt crisis and corruption that brought age old rulers to their knees viz., Egypt, Tunisia and Libya in the midst of middle eastern political climate. One of the common things I have heard from many internal audit practitioners is that entry level auditors tend to miss big picture approach when the audit is undertaken for many reasons viz., inadequate time budget or inadequate training or impractical audit objectives or goals where there is already expectation gap between a supervisor and entry level auditor on the job or expectation gap between client and the auditor or simply a mismatch between needed skils for the audit job on site vs., client's availability of time and resources for the specific audit task. All in all, professional auditing standards suffer and it leaves dissatisfied client with unprofessional deliverables at the end of the day. Meeting the goal and standards at the level it is required should be emphasized to the entry level auditors and the needed commitment the entry level auditors should exhibit on the job must be emphasized clearly. Today's entry level auditors are tomorrows senior auditors.

  1. Comment by: Wael El-Bsat   (10/28/11 09:03 AM)   

    I fully agree with Mr. Chamber for his comments. The CAEs across the globe are in real chase to cope with the business challenges facing organizations. The paradigm shift of risks, evolving business practices, and ever-changing business environments are putting pressure on CAEs not only to relay opinion on controls, but also to work in partnership with management to help them do things in a better way.

    These challenges require a world-class CAE. The ingredients of a world-class CAE are typically the leadership skills that the CAEs must enjoy to be able to communicate and exercise influence. I believe most of the CAEs are enjoying such capabilities; otherwise they wouldn’t have reached that executive level at first place.  Not because I am an audit practitioner and a CAE for a regional insurance company that operations in the Middle East and GCC, but I truly believe that sometimes only CAEs could have that value proposition to their organizations given they exposure to different activities and processes.  In addition, I don’t think that anyone can argue the fact that CAEs are real agents of change. The proof is that in some cases we witness the fact that the management team that we work with needs lots of time to digest the value that we bring onboard, which means that most CAEs are way ahead their organizations in their vision and foresight. The way I see the true leadership values of CAEs; is the fact that when we move at a pace that is a bit faster than that of our organizations, we really create a pull momentum that picks up with the right effort, commitment, and diligence.

  1. Comment by: arnold schanfield   (10/28/11 01:18 PM)   

     Richard:

    When you say above that internal auditors must know this and must know that, are you saying that do know it or  that they still need to learn it? Take risk management for example and please provide a clear summation of your assessment of the current skills of your average CAE in this domain. Do they cut it or do they not cut it and would you agree that this is one of the most important skill sets that they need to have in their tool kit?

    I have a much different sense than you do for where your average CAE is at based on my own interaction. For the 80's and 90s- I think that  the profession really moved forward by leaps and bounds. I think by and large the profession has been stagnant these past ten years for a number of reasons. If you respond to this blog, I'll be please to lay out the reasons why and what should be done about it

     

     

  1. Comment by: Richard Chambers   (10/28/11 04:44 PM)   

    Arnold - Naturally, I respect your opinion, but I couldn't disagree more with your characterization that the profession has been "stagnant" over the past decade.  Ten years ago, almost 50% of CAEs reported that they had no functional reporting relationship to the audit committee.  Today, the number is approaching 90%.  Ten years ago, risk assessments in the annual planning process was considered a leading practice. Today, almost 90% of internal audit departments comply with newly adopted standards and perform a risk assessment at least once a year.  As the '90's drew to a close, the profession was struggling to articulate its value to an increasingly skeptical set of stakeholders.  Many audit groups were abandoning assurance engagements all together, and adopting CSA and other consultative methodologies in hopes of surviving.  Since 2000, growth in the profession has surged around the world.  With the SOX-driven creation of new internal audit departments and surging budgets in older ones, IIA membership grew by more than 70% in the past decade alone. The list goes on.

    Are there areas we need to focus as a profession inorder to improve? Absolutely.  However, as one who has been part of this profession for 36 years (26 in staff and CAE roles and 10 with The IIA and PwC), I can say confidently, the past 10-years have been a "golden age" for our profession!

  1. Comment by: Tim Leech   (10/31/11 09:32 AM)   http://www.riskoversight.ca

    Richard:

    I understand that part of your position is to be a "cheerleader". Postive reinforcement is important to self-esteem.

    I also believe however that the profession needs to "practice what we preach" - candid, professional, sometimes tough and objective review of performance.  We need to consider that none of the major commissions even thought it was worth probing the performance of internal audit functions in the companies at the heart of the 2008 global collapse.  This is consistent with US Congress who did not see IA as part of the solution to the perfect storm of bad corporate governance that culminated in SOX.  The NACD Blue Ribbon Commission in to the role of boards in the 2008 global collapse called on boards to significantly improve their risk oversight but didn't see IA as a major element of how that could be done. In Canada the CICA issued an exposure draft on board oversight of risk in December 2010 calling on boards to improve board oversight of risk.  IA was not seen as a key element in the calls for improvement.  These are not insignificant signals from key stakeholders.  They need to be carefully considered and publicly responded to with facts not rhetoric about how great IA is.

    Glad to see you took the time to respond to Arnold.  Open dialogue on these issues is a key step forward. Norman Marks in his Marks on Governance also has very important points.

  1. Comment by: arnold schanfield   (11/3/11 04:04 PM)   

     Tim-your comments are right on the mark. Very good points!

  1. Comment by: Dan Clayton   (11/7/11 10:42 AM)   

    More has never been expected of CAE's!!!

    As a 14+ year internal auditor, I grew up in this decade of change. I have spent a lot of time listening and on many occasions I have been involved in building future-focused IA functions. To me the greatest irony is that we are still struggling to meet the definition of internal audit that was originally drafted in 1999. In that definition we help governance and management reach their objectives by bringing in our professional insight to improve Governance, Risk Management and Internal Control. The irony lies in the fact that "objective management" has never been factored into our models. Aren't we focused on helping them reach their objectives? Aren't the objectives what is AT Risk? We have spent a decade informing governance and management of our principles and what we can do for them, yet a significant part of our profession still believes their role is to value processes against some financial or regulatory standard, rather than the success of objectives. 

    I believe we as a profession have allowed our value to be diminished by refusing to let go of siloed standards of the past. We are anchored, a cognitive error that limits critical thinking, in the tradition of the past. We cannot reach the full value of our definition without being innovative. Innovation requires that we consider setting aside things like COSO Models (financially based), and challenge the term assurance and consulting (of financial origin).

  1. Comment by: Dan Clayton   (11/7/11 10:43 AM)   

    It is a scary thing to be innovative as a profession; it may shuffle the current client list and structure of influence.  Yet if we do not innovate, we will never reach our potential. There is such a need out there. We need to loose ourselves somewhat from structure and figure out how to meet the gaping hole in information needed by Governance. They need our help in creating standard comparable data about their organizations progress towards its objectives. Standardization follows innovation.

    My thoughts on innovation:

    Create one IA service that is focused on helping the organization increase transparency to the adequacy of strategic and objective management. To do this learn from leading business management models and create a framework for management expectations. We don't need to be the experts but we can compare them to their own leading practices. All IA work should contribute to the picture of objective achievement. Not simply the threats to objectives, but a measurement of the current vulnerabilities. How can Governance govern without comparable organizational data that informs them of their strengths and vulnerabilities? What sport coach would feel comfortable only looking at past performance statistics. IA should be the source for standardizing new strength and vulnerability data. This isn't the whole answer, but we as a profession need to be thinking more along these lines.  

     

  1. Comment by: Mark P. Ruppert   (11/7/11 08:42 PM)   

     IA is not often identified in the very areas in which we express expertise (i.e., governance, risk and control) and I'm not sure it's because we should be.  Our goal is to provide an independent and objective view and feedback through which we help the organization see and direct change in the GRC areas. Since no one expects or wants us to own it, we are somewhat left out of the "make it happen" conversations. Yes, I know, we also have our consulting hat (but note that all auditors are consultants but not all consultants are auditors) and yes of course, I find this challenging as an individual who wants to help and be more a part of corporate strategy; but, is it right for us to tout our greatest benefits as independent and objective assessors and also ask to be part of developing the solution? Perhaps, but perhaps outsiders see that as a conflict in their expectations of internal audit. And, if so, how do we then get “them” to see our services as being part of the solution as opposed to only a function following up to let them how well their solutions are working? 

    I'm not sure I've seen or have a good answer for this dilemma that I might characterize as: when does "leadership" in internal audit take us out of internal audit and into corporate leadership?  Perhaps when this is happening, it's a good time for the CAE to being wondering if a promotion or other movement is warranted? Or do we just better guidance and effort in selling ourselves for the “right” place at the “right” table?

  1. Comment by: Dan Clayton   (11/21/11 06:05 PM)   

    Mark,

    Independence and Objectivity is the heart of IA. My contention is that assurance is not. Assurance is too associated with the external standard of financial or regulatory rules, assuring that business processes are compliant. This is the wrong measure to meet the definition of IA. Our measure should be business objective success. However to find measures in this world we have to be familiar with business managment leading practices, and we have to look at a spectrum not just black and white.

    We can still improve the organization we just need to use more modern standards:

    Strategic and Business Objective Maturity; Dissemination of Accountability; Management Oversight Adequacy; Operations Alignment Adequacy (people, process and technology)...

     

  1. Comment by: Lesedi Lesetedi   (11/23/11 09:27 AM)   

    Richard you hit the nail on the head. I fully agree with you that a CAE can make a good leader or CEO. I really strongly believe so, particularly if one was to look onto their competencies. A contemporary CAE is well researched on various topics and should be abreast with changes and advice accordingly. A competent CAE should be privy of everything happening in the organisation he/she works for and understand very well its way forward thinking through for example the continuous review for accomplishment of the organisation's strategic plan and the periodic assessment of implementation of identified objectives and goals to be attained. To be able to achieve all the above mentioned the CAE should possess competencies of being a good communicator, having an analytical mind, being a people's person- good relations, a good negotiator and presenter, exemplary and walking the talk, ethical with integrity, knowledgeable and up to date, versatile and presentable.

    Therefore one need not ask but just see the qualities of a leader on the CAE as someone to move to be the next CEO .Even with a selection criterion, the CAE will still have a competitive edge over the counter parts who are periodically given assurance of their functions and operations by the same CAE. The CAE may not be a specialist in areas of Finance, Human Resources, Information Technology, Project Management, Purchasing and Procurement to mention but a few, but they review these areas all the time in addition to thier normal review of control, risk and governance processes. I therefore have no doubt a CAE can make a good CEO or any other higher positions like Board Chairmanship and the rest ...

Leave a Reply