- Richard Chambers On The Profession

Changing Times, Changing Priorities: Are We Passing the Test?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.  


On the surface, opportunities for internal auditors seem to be better than ever, with great prospects for career advancement. We are in a growing field and, because turnover rates are relatively high, new supervisory and management positions are constantly becoming available. As well, internal auditors are able to make important job contacts through their organizations, and many doors are open to us.

But it’s not all good news, and that could be our own fault. We may be doing a disservice to the rising generation of career internal auditors by actually limiting opportunities for advancement, despite our best intentions.

Advancement into audit management is very achievable these days, but getting a job as a chief audit executive (CAE) might be more difficult for career internal auditors than most of us would have imagined only a few years ago. The IIA’s Audit Executive Center just released its 2014 Pulse of the Profession report for North America, and the study found that 42 percent of CAEs in North America held a position outside of internal audit immediately before becoming CAE.

Obviously, there are benefits as well as drawbacks when organizations recruit from outside internal auditing for new audit executives. The new study does a great job of presenting the pros and cons for looking outside the profession to fill CAE positions, and it’s well worth reading for many other reasons. But the survey results also left me wondering why so few members of the internal audit team are considered “front runners” for the top spots in internal auditing.

One of the best ways to understand what’s on the mind of our stakeholders is simply to ask them. I haven’t seen a survey that specifically asks audit committees or senior management why internal auditors are frequently not the first choice for filling CAE vacancies; but KPMG’s Audit Committee Institute recently polled committee members on several related questions.

The results of that survey are unsettling: 82 percent of audit committee members believe internal audit’s role/responsibilities should extend beyond the adequacy of financial reporting and controls to include other major risks and challenges facing the organization. The bad news is that only half of these audit committee members believe internal audit currently has the skills and resources to be effective in the role they envision.

These facts add up to a big problem for internal auditors. If half of our audit committee members don’t think we have the skills to get the job done, it shouldn’t be a surprise that 42 percent of new CAEs are coming from outside the profession.

Change is never easy, and rapid changes tend to render irrelevant the people who cannot adapt. We are at a point where we need to correct misperceptions and demonstrate that we can get the job done, regardless of the type of risks our organizations face. That’s because, at organizations where internal audit is not meeting expectations, changes will be made. And those changes may be hard to swallow.

We also need to plan for the future and ensure we are ready for the next strategic realignment of internal auditing, whatever that realignment might bring. I believe that one important way to do this is to get back to the basics. The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) requires that we perform risk-based planning and that we have sufficient, competent resources to address a full range of risks, including:

  • Achievement of the organization’s strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.

If we truly are addressing and tackling each of these risks, there should be few questions about our ability and skills to take on the roles our stakeholders envision for us.

As the internal audit profession matures, it constantly swings from a focus on financial auditing to one on operational auditing. Over time, priorities change, and we are called upon to adapt — and to anticipate — our organizations’ evolving goals and objectives. A decade ago, with the implementation of the U.S. Sarbanes-Oxley Act of 2002, there was a rapid shift toward financial auditing. Today, the pendulum is shifting back toward operational and compliance audits as well as assurance on the effectiveness of risk management; and too many audit committees are seriously questioning whether we have the capabilities to make this transition.

Internal audit groups that operate in conformance with the Standards regularly develop risk-based internal audit plans that take into consideration input from key stakeholders. For these internal audit groups, there should rarely be questions about internal auditors’ capabilities and effectiveness.

In our rush to get the job done, it can be tempting to overlook the basics. However, in the long run, basics such as conformance with professional standards can help ensure we are ready for whatever tomorrow brings. There may be no better way to ensure the success — and the continued promotional opportunities — of the internal auditors who follow in our footsteps.

What are your thoughts on the prospects for rising internal auditors?

Posted on Apr 7, 2014 by Richard Chambers

Share This Article:    

  1. Dear Richard, This is truly disappointing and especially so after the hopes we had for the profession, and its professionals after the passage of Sarbanes-Oxley. The law gave internal audit new prominence and the opportunity to take responsibility and the authority that goes with it. unfortunately, sometimes the lack of soft skills gets in the way. First, however, our professional must want to top jobs. Way back then I asked leading search professionals if CAE's would now get a seat at the table after SOx, be part of the leadership team now, rather hiding under the CFO skirts. Many, said that CAEs, generally, did not have the outward-facing personality and presentation skills needed to engage with the board. CAE were viewed as inside guys and gals, working hard in the background. It sounds like that perception can still an obstacle.
  1. Richard:  Thanks for sounding an alarm to members that survey statistics and feedback are suggesting increased dissatisfaction on the part of some key IA stakeholder groups.   My belief is that the IIA needs to carefully assess the new risk governance expectations that are emerging from  groups like the Financial Stability Board, the FRC in the UK, and financial regulators and the NACD in the U.S. and objectively determine if current IIA CIA/CRMA certification and training curriculum are equipping internal auditors to fully support boards of directors that are now expected to oversee management's risk appetite and tolerance. Francine McKenna's point above is also a key element that needs to be addressed.  I encourage my clients and audiences to join or at least monitor the NACD in the U.S., ICD in Canada and other organizations in other countries to really understand what boards and regulators want from IA.  Sometimes boards need help to take the time to identify and articulate their needs and expectations, just as customers of many goods/services often don't tell suppliers what they really want until after they have changed suppliers.  The work you and Paul Sobel are doing globally to raise the alarm is excellent, but more needs to be done across the full range of IIA standards, certifications, conferences and training offerings to ensure IA remains fully relevant to key customers in the years ahead

Leave a Reply