Five New Year's Resolutions Every Internal Auditor Should Make for 2014

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 

The New Year affords a great opportunity to re-assess your life and identify a few resolutions that can help you break bad habits or enhance your quality of life. Over the years, one of the practices I have followed in writing my blog is to open the year by sharing five New Year’s resolutions that every internal auditor should make. As I noted last year, these are not the typical resolutions about losing weight or exercising more — although some of us could certainly benefit from such resolutions as well.

Instead, the resolutions that I propose are designed to enhance the quality of our performance as internal audit professionals. They are simple resolutions that are powerful enough to enhance our value, but painless enough that keeping them changes from a mere possibility to a probability.

So, here is my list of the five New Year’s resolutions that every internal auditor should make for 2014:

1. Get to Know The 2013 COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) release of the 2013 Internal Control–Integrated Framework marked the first update of this iconic framework since its original debut in 1992. In releasing the framework last May, COSO made clear that it would consider the old framework to be “superseded” on Dec. 14, 2014. So, for internal auditors whose companies are subject to legislation such as the U.S. Sarbanes-Oxley Act of 2002, the implications are clear. Less than 12 months remain for these companies to ensure that their internal control systems align with the new framework. Armed with deep expertise on risk, control, and governance, internal auditors should become thoroughly familiar with the 2013 COSO framework and be poised to provide assurance to management and boards on their organization’s readiness for the December deadline.

2. Scour Legislative Headlines for Future Compliance Risks
New compliance requirements proved to be a global phenomenon again in 2013. Legislation passed in recent years, such as the U.S. Affordable Care Act, Foreign Corrupt Practices Act, Consumer Protection Action, JOBS Act, and Dodd-Frank Wall Street Reform and Consumer Protection Act, continue to spawn new regulations and corresponding compliance risks. The heightened legislative and regulatory environment that has gripped the globe for the past five years shows no sign of abatement. As I have noted before, today’s legislative headlines often portend tomorrow’s compliance risks. So, in 2014, internal auditors should focus not only on addressing risks related to newly enacted regulations, but they also should prepare for future compliance risks by monitoring 2014’s legislative headlines. The IIA has been playing its part over the past two years to help internal auditors anticipate future compliance risks. Since 2012, The IIA has been working in Washington, D.C. to position itself as a resource for legislators and regulators contemplating new compliance requirements for corporate America. IIA Institutes around the world have been pursuing similar strategies. In the end, however, it will be up to internal auditors to make compliance a priority and to assess and address compliance risks that are sure to emerge in the future.

3. Get Better Acquainted With the Second Line of Defense
In its 2013 Position Paper: “The Three Lines of Defense in Effective Risk Management and Control,” The IIA defined the second line of defense as the “various risk management and compliance functions to help build and/or monitor the first-line-of-defense controls.” The past five years have witnessed a proliferation of second-line-of-defense functions and resources dedicated to them. In many organizations, management and the board are exhibiting “audit fatigue” or “oversight fatigue.” Examples of duplication or overlap between second-line-of-defense functions and internal audit (the third line of defense) include multiple reviews of compliance programs and redundant risk assessments. Internal auditors should make better coordination with second-line-of-defense functions a priority for 2014 to minimize potential gaps or duplication of efforts and to promote more efficient use of organizational resources.

4. Keep Pressing for a Seat at the Table
When I travel, I often meet chief audit executives (CAEs) who long for similar opportunities in their organizations. The words vary, but the aspiration is very similar: “How can internal auditors get a seat at the table?” These CAEs frequently are seeking my advice on the best way to secure the seemingly elusive seat. There is no magic formula, but I often share my thoughts on this dilemma. For internal audit functions to deliver optimum value, it is essential that the CAE and internal audit staff have a keen understanding of the business and their role in supporting it. Such an understanding must include insight on how the business strategy of their company is formulated and how risks are assessed and managed. A “seat at the table” is simply a euphemism for the CAE being afforded an opportunity to attend and participate in the meetings and discussions with senior management where these conversations and deliberations take place. For those CAEs who do not yet have a seat at the table, 2014 is as good a time as any to begin securing one. For those who already have the seat, 2014 should be a year in which to demonstrate the value they bring by being a strong contributor at the table.

5. Secure the Right Credentials and Polish Your Resume
The global economy has been lumbering ever so slowly through recovery for several years now. In 2013, The IIA witnessed some of the strongest growth in the profession in almost a decade. As the year closed, I couldn’t help but note that I was getting more calls from internal audit recruiters seeking recommendations on CAE and internal audit candidates than I had in years. At the same time, internal audit job boards were humming with new opportunities around the globe. For those internal auditors whose career aspirations include promotions or selection to positions of enhanced responsibility, 2014 should present great opportunities. First, however, aspirants will need to dust off resumes that likely have not been updated in years as well as recognize that the competition for opportunities likely will be stiff and experience may not be enough to differentiate oneself from competitors. Credentials convey assurance to potential employers that the candidate possesses the proficiency to execute any new responsibilities in a manner second to none. For internal auditors who don’t hold the Certified Internal Auditor (CIA) designation, 2014 is the year to earn the only globally recognized internal audit qualification. Those who already have the CIA may want to complement it with the new Certification in Risk Management Assurance (CRMA) or one of The IIA’s other globally recognized certifications.

Regardless of whether you adopt these resolutions, the beginning of a new year marks a natural opportunity to step back and identify priorities for yourself — both personally and professionally for the year ahead. Best of luck.

I welcome your thoughts.

Posted on Jan 6, 2014 by Richard Chambers

Share This Article:    

  1. Richard: Thanks for proposing some New Year's resolution for internal auditors. I would like to add another resolution that I believe that all IA shops should have as a "standing New Year's Resolution" - "Foster greater and true management/work unit ownership of risk and control management and reporting". Since the work I did with Bruce McCuaig and Paul Makosz at Gulf Canada in the 1980s on CSA/CRSA this resolution has guided my work and continues to be the center of my strategic focus. While I know it is tempting for internal auditors to be content being their organization's primary risk and control analysts and reporters and being satisfied with annual "risks lists" ERM processes, I believe that a key missing link in corporate governance has been true ownership by boards and senior management of risk management. The IIA initiative to create the CRMA designation and promote the idea that all IA shops should assess and report on the effectiveness of their companies risk management processes (Standard 2120) are positive steps. Risk management processes that are not truly owned by work units, senior management and the board should always be deemed ineffective. Not all IPPF standard 2120 assessments see the world this way and many conclude that having an annual risk list creation/maintenance process is evidence of effective ERM. It isn't. History provides ample evidence for this conclusion. The IIA at one time hosted full dedicated conferences each year to fostering management ownership of control and risk but recently the GRC conference has become another all purpose/broad topic event. It's time the IIA once again dedicated a full conference each to management ownership of risk and control assessment and reporting. Like many New Year's resolutions this one isn't easy to achieve but should be seen by internal auditors, the IIA, and the profession as a priority.
  1.  Thank you for your sharing, it is really very helpful.

  1. Awesome resolutions! This is the only way we can see increase in our professional pursuits. Stagnation is not an option!
  1. I agree with the New Year Resolutions and thank you for sharing them with us!

  1. Thank you for the very well thought resolutions.  i think these resolutions are key to ensuring that Internal Auditors remain relevant to the organisation, and become trusted advisors to senior management. I believe that if one can successfully complete these resolutions you'd be add much needed value in the organisation, and management will get you "the seat".  Happy New Year to everyone and good luck in bettering your skills.

Leave a Reply