Richard Chambers, CIA, shares his personal reflections and insights on the internal audit profession.
Having served as a U.S. federal inspector general (IG) and later as an advisor to scores of Fortune 500 chief audit executives, I have the unique perspective of understanding both worlds. No one would seriously suggest imposing the federal IG model on the corporate sector. It simply would not work. However, in the environment in which we are currently operating, there are things that corporate CAEs can learn from their federal counterparts about keeping an eye on reputational risks and focusing on efficiencies and operational effectiveness to drive down costs.
So who are these federal IGs? The modern U.S. federal IG model dates from the late 1970s. Following a series of highly publicized frauds in the federal government, U.S. Congress passed the IG Act of 1978 “to conduct and supervise audits and investigations … and to promote economy, efficiency, and effectiveness” in agencies of the U.S. government. Today, there are 67 statutory IGs providing oversight in agencies as large as the U.S. Postal Service and as small as the Architect for the Capitol. They are empowered with extraordinary independence. They not only provide audit coverage for their agencies, but in many instances they have broad investigative and law enforcement responsibilities as well.
Focusing on reputational risks. Although IGs do not speak in terms such as “reputational risks,” I can assure you that such risks play a big role as they compile and execute their annual audit plans. “Public trust” is essential to effective government, and IGs understand that as well as anyone. As the IG at the Tennessee Valley Authority, I would often marvel at how quickly the public’s perception of the agency could be inflamed with the disclosure of an immaterial spending indiscretion such as “decorating costs” for executives or board members. As many U.S. companies are suddenly discovering (particularly those receiving funds through the U.S. Troubled Asset Relief Program or other federal assistance), reputational risk is something they should bear in mind when making decisions such as whether/where to hold executive meetings and whether to continue expensive corporate sponsorships. As an IG, I included “visibility and sensitivity” as one of my key factors when scoring and prioritizing key risks for the annual audit plan. I would advise CAEs in the current environment to consider similar factors when assessing risks.
Focusing on efficiency and effectiveness. If there is one major difference in audit focus/coverage between corporate CAEs and their federal counterparts, it is the level of emphasis on assessing efficiency and effectiveness (performance auditing — sometimes referred to as operational auditing). By definition performance audits in government “provide objective analysis so that management and those charged with governance and oversight can use the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability.” These audits have traditionally comprised a substantial percentage of federal IG coverage. At the same time, many corporate CAEs have tended to focus more on financial risks and have devoted relatively little coverage to operational auditing. In the current environment, corporate CAEs are rapidly reprioritizing to identify potential cost savings and efficiencies. In that regard, various surveys have noted increased focus on operational risks over the past year, and The IIA has noted almost a 50 percent increase in the number of registrants in its operational auditing courses from 2007 to 2008.
In conclusion. Don’t get me wrong; as I have said for years, I believe there are enormous opportunities for federal IGs to learn from the corporate sector. Much has been written about the current federal IG model and its challenges. However, the extraordinary conditions associated with the current economy have aligned many risks being faced by the corporate sector with those traditionally faced by government. Given the IG’s deep/extensive experience in relating to these types of risks, I would suggest that corporate CAEs benchmark their approaches to addressing reputational and operational risks with their federal counterparts.
Resources for benchmarking with federal IGs. Federal IGs are organized as the Council of Inspectors General on Integrity and Efficiency. Their Web site serves as a portal to a wealth of information, and can be found at http://ignet.gov.
Links to federal IG Web sites: Federal IGs post their annual plans and key audit reports directly on their Web sites. A directory of Web sites can be found at http://ignet.gov/igs/homepage1.html.
In at least two instances, federal IGs oversee the operations of federal government-owned corporations (the U.S. Postal Service and the Tennessee Valley Authority). The Web sites for these IGs may be even a better source of benchmarking for corporate CAEs. These links can be found at www.uspsoig.gov/audit.htm and http://oig.tva.gov.
The Government Accountability Office (GAO) also provides an outstanding source of information on operational/performance audits. The GAO’s Web site can be accessed at http://gao.gov.
From my perspective, the best guidance available on conducting and reporting on operational/performance audits can be found in the Government Auditing Standards (commonly known as the Yellow Book) Fieldwork Standards for Performance Audits, which can be accessed at www.gao.gov/govaud/govaudhtml/d07731g-9.html#pgfId-1034320, and Reporting Standards for Performance Audits, found at www.gao.gov/govaud/govaudhtml/d07731g-10.html#pgfId-1034320.