The Road Less Traveled: Thinking Like the World's Leading Internal Audit Executives

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

 

I recently had lunch with several of the chief audit executives (CAEs) who are members of The IIA’s Audit Executive Center. The conversation was enlightening, particularly when we talked about what differentiates an above-average internal audit function from one that is regarded as being truly world-class. 

Our discussion covered all the usual audit quality subjects, from independent quality assessments, to the importance of strong leadership, to integrating technology into auditing, to concentrating on improving working relationships. Each of these factors is important; and each is well known to audit executives throughout the world. But everyone can't be “the best,” much less “best of the best.” So what, exactly, makes high-performing audit groups stand out?

The consensus was clear: All the members of this diverse group of highly successful CAEs agreed that one of the most important factors in achieving audit success was to stay focused on long-term results, even when the path to achieving those results meant ignoring easier short-term alternatives.

The most enlightening part of our conversation took place when the internal audit executives started talking about their own difficult choices when long-term results clashed with short-term easier paths. For example, one CAE from a large U.S.-based publicly traded company mentioned its Sarbanes-Oxley compliance work and her reaction when she first saw new research on internal audit effectiveness in the January 2011 issue of The Accounting Review. The research, titled The Role of the Internal Audit Function in the Disclosure of Material Weaknesses, indicated that when internal audit was required to provide a grade or opinion on financial reporting controls, material weaknesses were more likely to be detected and reported. The CAE knew her management team didn’t want to receive “grades” on internal controls, and she quite frankly didn’t want to start assigning grades. But the research showed that grades could make a difference, so she discussed the change with her senior management and audit committee and made the decision that she knew would bring the best long-term results for her company. It wasn’t the easiest choice, but she still believes it was the right choice.

One “difficult choice” in particular occupied the group’s attention: The decision for internal audit to undergo an independent quality assessment. At the beginning of the discussion, two participants were less than enthusiastic about the idea of having an external quality assessment, but the words of a few other CAEs who had been through the process were persuasive.

One CAE stated that because he knew he really didn’t want to have a quality assessment, he decided to do some research and weigh his options on paper. It was particularly gratifying to me that he mentioned research from The IIA as being important to his decision. The three main positives and negatives according to his assessment are as follows:

Postponing the Review Scheduling the Review
  1. Nobody likes being audited — including internal auditors.
  1. More than 70 percent of stakeholders believe compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is a key factor in the ability of internal audit to add value to the governance process, and 90 percent of stakeholders indicate that adherence to the Standards increases their confidence in internal audit, according to The IIA’s 2010 Stakeholder Expectations Survey.
  1. Preparing for and undergoing an external quality assessment will detract from our ability to “get our audit work done.”
  1. The requirement for independent quality assessments went through an extensive exposure process when the standard was released, and most people thought it was an important requirement.
  1. There are costs associated with any type of audit, including this one.
  1. There were no other essential parts of the organization’s internal control system that had not been audited.

After reviewing his options, the CAE decided to discuss the benefits and drawbacks of an independent quality assessment with his audit committee — and the review took place.

What did I learn from my lunch with some of the world’s most successful internal audit executives? They were most likely to re-evaluate their own decisions when they knew there was an alternative action they really didn’t want to take. They didn’t look for reasons to postpone the hard decisions: When they needed to make a choice between a short-term easy route and a route that might bring better long-term results, they did their homework, checked their facts, discussed options with management and the audit committee, and even looked for new research to ensure they came to the best decision.

The best minds in internal audit don’t shy away from making the hard decisions. I hope we can all be more like them. 
 

Posted on Feb 29, 2012 by Richard Chambers

Share This Article:    

  1. It is good to raise the question of the extent of compliance by IIA membership with the IIA's standards. Your article "Quality counts" in the UK IIA magazine makes similar points:  <50% of HIAs surveyed said they complied with IIA standards. Barriers stated included: i) whether the IIA standards were really appropriate and ii) whether the IIA standards were supported by their senior management .. 

    Whilst I fully support the overall sentiment of what you are trying to do, could it be that stating that we should all get behind compliance with IIA standards is actually part of the problem? (Sorry Richard!) 

    I would offer the folllowing reflections, to help stimulate a deeper debate about what we need to do to move forward:

    i) Could it be that there is a gulf between rank and file perceptions of IA quality in practice and all of the IIA's standards?

    ii) Is there an even bigger gulf between these standards and the views of senior managers in organisations around what makes for a high quality IA function?

    iii) Do we have too many IIA standards, with HIAs having to make trade offs "in the real world" that a compliance approach will not do justice to? 

    iv) Could we progress more as a profession by emphasing the role of peer reviews to deepen our understanding of these real life issues, rather than a question of pass or fail compliance?

    I suspect we could learn from the "supervision" approach a number of other professions have adopted, where real world dilemmas and constraints are much more to the fore than just expecting compliance with a set of standards. A compliance approach may have made sense years ago when we were auditing financial controls, but perhaps this makes less sense now as we fulfil a much broader role?

Leave a Reply