Internal Audit Imperatives for the Decade Ahead

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

In late December, I wrote about the five events that defined the past decade for internal auditors. It is too speculative (and far too early) to predict any defining events for the next decade. However, I do have some views on key imperatives that internal auditors must pursue if we are to build on the success we enjoyed during the past 10 years.

The IIA’s Global Board of Directors recently updated The Institute’s five-year strategic plan. Included in the plan is a preferred milestone that internal auditing be “universally recognized as a profession” by 2014. No one is debating how far we have come as a profession. However, being universally recognized as a profession is still aspirational, and is an indication of the distance we still must travel.

As I look at the decade ahead, I am confident that The IIA will do its part to elevate the stature of the profession around the world. We will establish a clear and concise definition of internal auditing’s value proposition, implement and communicate an International Professional Practices Framework worldwide, and continuously advocate the value of the profession to key stakeholders around the world. However, even if The IIA successfully accomplishes all of these strategies and more, any progress in further elevating the stature of the profession will need to be reinforced by internal audit professionals in the “trenches.”

In the past decade, we elevated our stature as a profession by:

  • Helping our organizations navigate the demands of new legislation and regulations related to financial controls.
  • Becoming champions for effective enterprise risk management.
  • Becoming a respected source of talent for our organizations.
  • Diversifying our focus and demonstrating our value in the face of a global economic crisis.

In the decade ahead, I believe there will be even greater challenges than those we successfully navigated in the past. I have already commented on the overarching need to provide assurance to our boards on the effectiveness of risk management. Below, I have identified five additional imperatives that I believe must be addressed in the coming decade — and the sooner the better:

  • Expand our capabilities to continuously assess risks.
  • Enhance our proficiency in data mining and analysis.
  • Better integrate the deployment of IT and non-IT audit resources.
  • Become more effective in communicating our value proposition to our immediate stakeholders.
  • Enhance our coordination with other risk and compliance functions in our organizations.

In the coming weeks, I will expand on these in my blog and invite your perspectives on these and other imperatives that we must pursue.

Posted on Feb 8, 2010 by Richard Chambers

Share This Article:    

  1. Richard,

    I would like to raise a fundamental question that goes to the very heart of our aspirational goal of being seen as a profession.

    I have - perhaps wrongly or ill-informed - always held the view that for any collection of like minded people to call themselves a profession there needs to be some form of transparent and universally accepted discipline mechanism.

    Such a mechanism ensures that those that do not maintain a certain level of behaviour consistent with the expectations of the group are excluded from the benefits of being associated with the group.

    The Institute of Internal Auditors and indeed internal auditors globally do not have that mechanism in effective or efficient operation.

    Until such time as we - as a collection of like minded people - agree that there is value in such discipline mechanisms then we are but, to borrow, a phrase surfing on the wisdom of the crowd.

    We may meet every imperative you list above and may grow on from our achievements of the last decade ... but we will never be a profession.

    Therein lies the greatest challenge.

    I would welcome your and anyone else's thoughts.




  1. Tom:

    I completely agree with you.  Without a member discipline mechanism I think the IIA can be a value adding member association but we will continue to lack a key element necessary to claim to be a true profession.  The fact that only a relatively small % of the total IIA membership see the value in obtaining a CIA designation will continue to position the IIA as an association versus a true profession.  Even today, more than a few CAEs, IIA board members, and authors still don't see the value in getting their CIA designation.  

    I would also assert that an important element of being a true profession is a duty to serve the public interest, not just the personal economic goals of its members.  This should include developing and proposing new methods and frameworks that better serve the needs of key stakeholders and protect the public. If not the public at large and investors, at least the board of directors.  This should include challenging COSOs decision not to implement any form of continuous improvement framework for the 1992 COSO Internal Control Integrated Framework.

     It should also include investing time and resources to study instances when members, particularly CIAs and departments claiming to be in compliance with IIA Professional Practice Standards, may have failed in their role as internal auditors and key stakeholders have suffered material harm..  The IIA should invest resources to study instances of major governance failure and the role of members in those failures - if not to consider whether disclpline is warranted, at least to consider whether changes should be made to the IIA  professional accreditation and development frameworks.

    I have commented in greater length on the issue of being a profession in my blog post of June 19, 2009.

  1. Dear Richard:

    An excellent summarization of the challenges which internal auditors are going to face in the next decade. I entirely agree with you.

    The Madras Chapter of IIA India just concluded the 34th All India Conference on Internal Audit at Chennai India on February 5-6. The Theme of the Conference was "Responding to the challenges of the next decade" Three major challenges were identified [1] Leveraging emerging technologies in audit practices [2] redesigning governance systems for corporate sustainability [3] developing audit solutions for new business models.

    The views expressed by you are very similar to the 12 twelve speakers who made presentations on the above three challenges in 12 technical sessions. I am sure with your leadership and the guidance provided by IIA, the profession will surely meet these challenges.  Thanks to IIA


    Chennai, India.

  1. Dear Richard,

    I have been in and our of IA and CAE positions since the mid 1980's.  I've seen tremendous growth in the professionalism of internal auditors as a whole.  I've also seen the profession elevated during that time.  However, there is an undercurrent that the IIA totally ignores.  As an internal function, the IA organization will always be subject to the political vagrancies of the major players in the organization.  I and many other auditors who are "long in the tooth" have been forced to leave an organization because an executive didn't like our audit activities, conclusions, etc. 

    This is a major challenge that must be addressed in the governance structure of our organizations.  Boards must take their role of safeguarding IA seriously.  Otherwise this trend will just continue to undermine and demoralize our ranks.

  1. I refer to Tom's question about the profession.

    Cynthia Cooper didn't some "universally accepted discipline mechanism" to point out what was right from wrong. I guess the work of an internal auditor is one based on "integrity".

  1. Timely question and some interesting comments - a few builds:

    1) I wonder whether we have yet got the balance right between the need for professional qualifications through formal exams vs. more professionalism through supervision and peer coaching.. A well qualified CAE who is not also a strong leader and influencer can be just as problematic as someone who doesnt know about risk and control.. Moreover many great CAEs are not IIA qualified - the IIA should not feel threatened by this but work out what it can learn and do to work alongside CAEs in their real world challenges to bring about good governance without resorting to a textbook!

    2) We need to address a central issue around whether we are a first, second or third line of defence. If principally the third, what our role is to i) audit "known" problem areas (which arguably should be dealt with by the other lines) and ii) look at risk areas where no strong demand for us to look at exists. Financial auditors would not be allowed to turn away from a key risk area because management are confident its under control. We must be wary of group think and blind spots in the organisations we serve - and that applies to us as a profession as well!

    I've written more on this topic in the UK IIA magazine coming out in March.

  1. Thank you all for the commentery and thought provoking points.  I believe that both an effective member dicipline mechanism and increased CIA awareness and advocay are critical platform elements to becoming recognized as a true profession.  The IIA's initiative to align with University partners for CIA certification is both commendable and strategic.  It demonstrates the thoughtful foresight and certainty that Internal Audit, in time, will obtain its recognition as a true profession.  We must engrain the value of internal audit and cultivate sound principle-based practices into all aspects of organizational culture to support and sustain the worlds "economic eco-system," and we should find comfort in the fact that there are forces at work throughout many IIA/University partnerships.  The new generation of internal audit professionals must strive to become as wise as the board, as savvy as management, as intelligent as the attorneys, as diligent as the accountants, and as precise as the statisticians. Most notably, internal auditors must exercise fair and ethical judgment.    


Leave a Reply