- Richard Chambers On The Profession

Is Internal Audit Losing Value? Not So Fast, My Friend!

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.


I recently spotted the headline “Is Internal Audit Losing Value?” in a respected business journal. It was for an article based on survey results in one of the multitude of white papers on the internal audit profession that come out around the first quarter each year. Researchers indicated that a greater number of managers are questioning whether they receive “significant value” from internal audit.

The survey found that 68 percent of board members believe internal audit adds “significant value,” while 65 percent believe it “performs well.”

Is there room for improvement? Absolutely. But, when I read headlines that suggest internal audit is perceived as providing less value, I am reminded of the favorite retort of ESPN sports broadcaster Lee Corso — “Not so fast, my friend!”

I am concerned — but not terribly surprised — that a gap in stakeholder expectations for internal audit has opened up in some organizations. Stakeholder expectations are always a moving target. Sometimes, the shifts are barely noticeable. Other times, they can be swift and seismic. The changes are often positive in the long run, but change can be painful until we have fully adapted to the new expectations.

Before 2001, leading internal audit departments were expanding their skills to include a widening variety of consulting projects, operational audits, control self-assessments, and other value-added engagements. Then came Sarbanes-Oxley in 2002.

A period of a year or two followed when many internal audit functions felt they didn’t have the tools to get the job done. It wasn’t that the profession had suddenly grown weak or less effective; the issue was a matter of the skill set necessary to address rapidly changing stakeholder needs. Having retooled extensively to address expectations in the late 1990s, many internal audit functions simply didn’t have the accounting expertise on staff to concentrate on financial reporting internal controls, which had suddenly become a critical concern of stakeholders.

Fortunately, the profession responded quickly and, ultimately, Sarbanes-Oxley ushered in a new appreciation for internal auditing. We adjusted staffing and training, and audit groups that adapted quickly tended to flourish. Our stakeholders came to understand and appreciate the important roles we could play regarding financial controls. Improved reporting relationships for internal audit, enhanced resources, and increasingly positive stakeholder surveys reflected strong levels of satisfaction.

We can serve our customers well only if we know what they want — and only if we give them what they want. Unfortunately, what they want is often in a state of flux.

Stakeholder needs didn’t stop evolving even as we redefined our roles and developed the requisite skills to deal with Sarbanes-Oxley. Many are again raising their expectations, especially in the area of risk and risk management. This shouldn’t catch us off guard. From its inception, internal auditing has gone through cycles in which the focus has shifted from accounting and financial issues to operational issues, then back again.

Management and boards understand that Sarbanes-Oxley is no longer the “all hands on deck” issue it was a decade ago, and they are looking to internal audit for help with new and more urgent priorities. To be sure, internal auditors understand that adequacy of internal controls over financial reporting is not the biggest risk facing the corporate sector in 2014.

But change does not come easy or quickly. We are going through a phase in which some internal audit functions may not have the skill sets needed to address the new risks/expectations, and stakeholders — particularly management — are beginning to question whether we are able to meet their latest needs.

It’s said that, if you wait for customers to tell you that you need to do something, you're too late. Good business leaders must be at least a half step ahead of what customers want — and good auditors need to be at least a half step ahead of management.

There is clearly a gap in meeting stakeholder expectations in many organizations. We would only be sticking our head in the sand to deny the scope of the problem. My advice to every chief audit executive (CAE) is to identify the gaps and forge a plan to swiftly address them.

A recent Pulse of the Profession survey by The IIA Audit Executive Center offers insights into which strategies CAEs deploy to assess stakeholder expectations:

  1. Ongoing informal discussions with the audit committee chair to assess expectations – 69 percent.
  2. Regular formal meetings with key stakeholders to assess expectations – 59 percent.
  3. Discussions with the full audit committee to assess collective expectations – 57 percent.
  4. Formal surveys of stakeholders to assess expectations/performance – 40 percent.
  5. Discussions with the full executive leadership/management team in the same room to assess collective expectations/performance – 26 percent.

Once you have a clear understanding of the gaps in internal audit’s ability to address expectations, you can work to address the gaps. The problem may be simply that internal audit is not focused on the key risks. This is why we must have robust discussions with management and the board during the risk assessment and audit planning processes. If skills are the problem, deploy creative sourcing and knowledge management strategies to embed the right capabilities in internal audit.

As the noted Danish philosopher Soren Kierkegaard once said, "All change is preceded by crisis.” I don’t believe that matters have reached crisis proportions where stakeholder expectations are concerned, but it is never too early for change.

What are some of the ways you ensure your stakeholder expectations are being met?

Posted on Apr 29, 2014 by Richard Chambers

Share This Article:    

  1. Richard: The FSB has done a good job defining what a truly effective IA shop do. (see below) IA departments should self-assess how they are doing on these new expectations.

    Internal audit (or other independent assessor) should:

    a) routinely include assessments of the RAF on an institution-wide basis as well as on an individual business line and legal entity basis;

    b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;

    c) independently assess periodically the design and effectiveness of the RAF and its alignment with supervisory expectations;

    d) assess the effectiveness of the implementation of the RAF, including linkage to organisational culture, as well as strategic and business planning, compensation, and decision-making processes;

    e) assess the design and effectiveness of risk measurement techniques and MIS used to monitor the institution’s risk profile in relation to its risk appetite;

    f) report any material deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and

    g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.

  1. To All: In case the acronym "RAF" isn't familiar the FSB guidance on attributes of an effective "RISK APPETITE FRAMEWORK" can be sourced at:

    http://www.financialstabilityboard.org/publications/r_131118.pdf

  1.  But I think the key question you need to ask yourself Richard is first to go back and read the article in the IIA magazine of last month by Ruth Pritchett on the life of Merywn King and what he has been trying to do for only the past 20 years in governance.

    You would probably agree that he is the leading authority in governance around the globe or close to that. he discusses at length the inclusive versus exclusive approaches to viewing stakeholders.

    Several other countries such as the UK, Australia/New Zealand, Canada and South Africa have adopted the inclusive approach.

     

    The question for you is what specifically has been done in this regard in the United States. What specific training has the IIA provided in the last ten years that would equip internal auditors to be able to adapt to this inclusive approach

     

     

  1. Dear Mr. Richard,

    I am associated with the internal Audit Profession for over a period of 5 years now.

    Your Article is of true value to me as you have rightly pointed out that we as internal auditors should always be on our toes to gauge and meet management expectations.

    I don’t know how correct I am to say that, but I believe, our role as internal auditor has changed from the operational or financial auditor to Strategic Advisor, at least the management believes so.

    Now meet the ever changing expectation obviously is not going to be easy. But I believe the right way is the two way communication with the management better we know the expectations better we will meet them.

    I think Strong Audit Committee having suitable professional member is always a plus for smooth Internal Audit work, at least the expectations are clear and known.

    I think the best way is to ask for the immediate feedback of operational managers and those charged with governance. To my belief this should be an informal discussion, because people stereotype, when asked to give a formal feedback  

  1. When are we going to stop asking ourselves and others if we add value?  It's like asking the question "should we exist?"  No other profession does so; instead they market their strengths.  We know why we exist and we know that the chances of getting a huge percentage of people to acknowledge it in some major positive way is unlikely because human nature does not react positively to someone else looking over its shoulder. 

    Yes, we should ask our stakeholders if there are other risks requiring focus and more types of certain audits desired, but I suggest it's high time we stop asking ourselves and others if we should exist, and refocus our efforts on demonstrating and selling our strengths or values to business and society.

Leave a Reply