Protiviti Suggests Refocusing the Internal Audit Agenda

In their latest issue of The Bulletin (PDF), Protiviti summarizes recent developments in the business environment and suggests internal audit teams should capitalize on changing expectations. They highlight these areas:

  • Manage audit committee expectations. As these change, internal audit should be ready to adapt.
  • Evaluate IT security and privacy. These continue to be areas of risk that hit the headlines and, as a result, boardroom agendas.
  • Conduct value-added risk assessments. The authors point out that risk assessments must be kept current, and that internal audit should always add their own insights to any risk assessment process by management. But, I would have liked to have seen more emphasis on internal audit assessing and contributing to the improvement of management’s risk management programs.
  • Use assurance maps to identify vital assurance processes. They reference an IIA Practice Guide that I frequently recommend. However, I would have liked them to point out that this tool is excellent for identifying where there are gaps — nobody provides assurance that the company is complying with a law or regulation — and overlaps — where there is redundant and duplicative coverage.
  • Keep priorities up to date. This should relate to the maintenance of an updated risk assessment that is linked to an updated audit plan — flexible enough to ensure the significant risks today are addressed in the audit, not the risks when the plan was updated several months ago. However, Protiviti has chosen to talk about a ‘more balanced focus’ rather than a focus on what matters – and that may not be balanced at all! I know they support addressing what matters, and maybe they mean to say that you need to consider all areas of risk in building a plan that addresses what matters – the more significant risks.
  • Leverage technology to expand coverage. This pretty much goes without saying, but I wish Protiviti had emphasized using technology to understand the business and its risks in addition to its use for testing.
  • Acquire, develop, and distribute talent.
  • Demonstrate positive change. Personally, I prefer to talk about effecting change.

As usual, Protiviti has given us thoughts to stimulate thinking. I appreciate that and congratulate them.

One thing concerns me, I must admit, with the tone of the piece. While internal audit must be responsive to changing expectations, it cannot afford to be passive. Internal audit needs to lead the board and executive management, explaining the potential for internal audit and the assurance and consulting services it offers.

What is your opinion on internal audit and change? What changes are needed and why?

Posted on Aug 18, 2011 by Norman Marks

Share This Article:    

  1. Thank you, Norman, for commenting on our latest issue of The Bulletin.  We appreciate the exposure.  I agree completely with you that the CAE cannot afford to be passive.  I would suggest that forcing a dialogue with stakeholders around the agenda issues we cited is not an exercise for the timid and affords an opportunity to broaden the focus of the audit plan. 

    Regarding IIA Practice Advisory 2050-2, I agree with you that it is a great tool for identifying gaps and overlaps.  On page 4, we say, "An assurance map clarifies 'who does what' at the different levels of assurance and identifies gaps and overlaps against the various risk-based expectations set by the board and executive management."  I continue to believe that this Practice Advisory is one of the most potentially impactful but underutilized Practice Advisories the IIA has issued. I also agree with you a focus on what matters is vital. 

    When we used the word "balanced" we were relating implicitly to the issue of intenal audit functions being too  focused on financial reporting controls and/or compliance matters.  What we said in The Bulletin was, "For many internal audit groups, prioritizing what's important means directing attention to a more balanced focus on strategic issues, effectiveness and efficiency of operations, and compliance with laws and regulations."  What we meant when we said that was that "priortizing what's important" LEADS to a more balanced approach.  That was our thinking.  

    Again, thanks for the comments and taking an interest in this issue of The Bulletin concerning topics so important to our profession.  Regards.     

Leave a Reply