It's Not Business as Usual for Big Internal Audit Departments

Richard Chambers, CIA, shares his personal reflections and insights on the internal audit profession.

There are very few people and few organizations that haven’t yet been touched directly or indirectly by the troubled economy. Everywhere we turn, individuals and organizations are making adjustments — tightening here, cutting there, and paying closer attention to how resources are being spent. Just a look at this week’s headlines gives you a good indication that everyone’s watching their step. What a perfect opportunity for our profession to step up to the plate to lead the charge in asking, “How do we adapt?”

To capture in-depth and qualitative analysis of these opportunities and how the internal audit profession can be of utmost value in this changing environment, The Institute of Internal Auditors (IIA) pulled together chief audit executives (CAEs) from some of the largest companies — primarily Fortune 100 companies, as well as several from the Fortune 250 — and representatives from internal audit service providers, the U.S. Public Company Accounting Oversight Board, and the U.S. Securities and Exchange Commission. The roundtable discussion was held during The IIA’s General Audit Management Conference in Washington, D.C. last month and has resulted in a new white paper titled, “A World in Economic Crisis: Key Themes for Refocusing Internal Audit Strategy.”

Roundtable participants candidly offered their insight and strategies for redirecting the focus of internal audit activities to meet the challenges of today’s environment. Key questions focused on finding out the biggest impact the economic crisis has had on internal auditing, how the internal auditor’s role has changed over the last 12 months, what issues are different now and how they have changed the internal audit strategy, and the lessons learned that will lead us forward.

We found out that CAEs are helping their organizations navigate through the current crisis in a variety of ways. Most roundtable participants said they are making their internal audit activities more flexible by adjusting to stakeholder expectations and changing risk priorities. By linking their audit plan to business strategies and current risks, internal auditors are shifting priorities from a financial and compliance focus to a more operational and ERM effectiveness strategy. Roundtable participants suggested several leading practices and strategies that can be boiled down to 10 key takeaways:

  1. Focus on recession-related risks and activities. Incorporate cost containment and revenue enhancement reviews into the audit activity. Review risks around reputation, liquidity, workforce reductions, and third-party vendors. Look at going concern issues and off-balance-sheet transparency, and ensure internal controls mitigate reputational risk. Cultivate a cultural mind-set so that all activities are scrutinized with corporate reputation in mind. Invite management to surprise drills and discuss strategies if the unthinkable happens.
  2. Increase communication with management and the audit committee. Know the expectations of the audit committee and management. Recognize the opportunity to advocate risk management and keep the audit committee informed of upcoming and emerging risks. Discuss and obtain agreement on any shifts in audit plan priority. Promote transparency at all levels.
  3. Place renewed focus on risk management and corporate governance processes. Audit the effectiveness of the organization’s risk management and governance processes. Take a hard look at the organizational structure and business strategies, and ensure that there is a well-thought-out risk management process. Raise tough questions about oversight practices and strategies. Look at the board structure, reporting lines, and separation of duties.
  4. Strengthen your risk assessment process. Reassess risks, including emerging external risks, and quantify the impact more frequently. Add a preparedness, velocity, and resilience factor to the risk assessment matrix, and subject every area of the risk assessment to a reputational risk litmus test. Assess the impact of compounded interrelated risks that if combined could snowball into a higher risk priority, and look toward the future to anticipate the next emerging risk.
  5. Operate with a more flexible and adaptable audit plan. Reassess the audit universe regularly and change the audit plan to stay aligned with business objectives. Reprioritize resources to adapt to priority risks identified in the risk matrix, and shift assurance activities to risk management processes, operational controls, and cost containment/reduction and revenue enhancement activities. Keep an eye on what actions management is taking to cope in today’s environment.
  6. Serve as a risk management educator. Help management and the audit committee understand where they stand in the ERM curve and work together to fill in the gaps. Facilitate risk management workshops and advocate a rigorous self-assessment process to provide broader risk review coverage. Facilitate risk discussions at every opportunity.
  7. Expand fraud testing in the audit plan. Incorporate technology to review a broader transaction universe for anomalies. Focus on recession-related risks, inventory shrinkage, overtime abuse, unauthorized accounts payables, and expense report padding.
  8. Strengthen business knowledge. Couple audit methodology with a deep understanding of the business; find out what you don’t know and fill in the gaps. Focus on business objectives and strategies, and ensure that your audit plan considers and addresses the strategic risks to the organization. Partner with risk champions to improve organizational knowledge.
  9. Strengthen your relationships and communications with the organization’s other GRC functions. Improve relationships with other risk and control groups, and meet with risk champions regularly. Build a strong relationship with management to stay abreast of business changes and strategies. Encourage open communication and sharing, facilitate risk discussion, and publish emerging risk lists.
  10. Enhance the efficiency of your audit processes. As your businesses revamp and re-engineer their processes to enhance efficiency and cost effectiveness, put internal audit processes to the same test. Look for ways to shorten reporting time, increase the use of technology, and challenge internal audit teams to increase their efficiency.

As a precursor to the roundtable, The IIA conducted a survey to get perspectives on the causes and effects of the financial meltdown, as well views of how companies are adapting. The survey resulted in responses from 364 internal auditors in the United States — 117 who work in the financial services sector and 34 who work for Fortune 100 companies. The survey data helped guide the roundtable discussions. You can read more about the survey here. To read The IIA’s new white paper, “A World in Economic Crisis: Key Themes for Refocusing Internal Audit Strategy” click here.
 

Posted on Apr 22, 2009 by Richard Chambers

Share This Article:    

  1. Richard: It's great to see that the IA profession is doing some self-assessment of its role in the current economic crisis and discussing ways to contribute to the recovery. My guess is that more organizations have been directly impacted by the governance failures that occurred than is being acknowledged, even if it is just a major shortfall in their pension plans as a result of the meltdown. 

    Will the IIA be funding any fact-based research to confirm or refute the type of feedback provided by the survey of members?  

    Determing the number of organizations where IA was actually assessing and reporting on the effectiveness of risk management systems to their boards would be very valuable, as would determining how many audit organizations were providing snapshots of their organization's residual risk status as opposed to audit opinions on a small % of the total risk universe. 

  1. Richard and Tim: I am going to add a little more fuel to the "governance failures" fire.

    Arguably, internal audit was not effective in its assessment of the adequacy of risk management and governance practices at some organizations - or management and the board failed to listen.

    1. Should and will the IIA investigate potential internal audit failures in a fashion similar to what the AICPA might do? If the IIA (or another agency) identifies a failure, what sanctions would be imposed?

    2. How can the IIA help CAEs who are shown the door when they report unwelcome news to management and the board?

Leave a Reply