Staying on Track
President & CEO
The Institute of Internal Auditors
The past decade has seen a rise in the stature of the internal audit profession that is unparalleled in our history. Internal auditors have gained newfound respect from management and boards, and more organizations have internal audit functions in place than ever before. We have intensified our focus on risks, and new automated tools have resulted in notable increases in audit efficiency. We have enhanced our independence and strengthened internal audit reporting lines at many organizations.
It has truly been a decade of progress; and much of that progress is a result of the dedication and hard work of financial services auditors. Many of the leaders of the internal audit profession come from the financial services industry and, in part because of the number of auditors practicing in the financial services arena and because the industry is highly regulated, best practices for internal audit often seem to emerge directly from within the industry.
In my duties as president and CEO of The Institute, I have the opportunity to meet regularly with risk experts. They often share similar viewpoints regarding strategic risk — not just the strategic risks facing our individual organizations, but also those facing us as a profession. They are quick to point out that we, as a profession, need to address our strategic risks just as much as our organizations need to consider the strategic risks that can mean their success or failure.
There are at least five strategic risks that could derail our progress in the decade ahead. These risks must be addressed by both internal audit departments and individual auditors if we are to capitalize on the advancements of the past decade. Financial services auditors are particularly well-positioned to lead the way in addressing each of these important risks.
1. The Emergence of “Competitive” Risk, Controls, and Governance Functions.
When it comes to governance, risk, and controls, superior results come from teamwork, not from competition. In too many organizations, internal audit is developing a competitive relationship with risk and control professionals such as compliance officers, quality control specialists, fraud examiners, and ERM professionals.
Fortunately, this is one of the areas in which the financial services industry has supplied leading practices for our profession. In Europe, for example, use of the Three Lines of Defense model emerged from the financial services industry as a leading practice that enhances communications and clarifies responsibilities regarding risk management.
Acceptance of the model is rapidly spreading throughout the world, not just in the financial services industry but in many other industries, thanks at least in part to the many financial services auditors who reached out to their fellow internal auditors to share information on best practices.
2. Failure to Fully Conform to the International Professional Practices Framework.
More than ever, our stakeholders need specific assurance about the effectiveness and efficiency of internal audit. The International Standards for the Professional Practice of Internal Auditing were written for auditors by auditors, and they should be viewed not as optional but as the absolute minimum for acceptable internal audit performance. Unfortunately, however, only about half of internal audit departments are currently in compliance with our professional standards. In particular, we often ignore our own requirement for independent assessments of the internal audit function.
The day may come when someone asks you who audits the auditors or what professional standards are followed by your internal audit function. We need to be prepared to answer these questions in a way that is a credit to the profession. Financial services auditors help hold appraisers, underwriters, and other professional groups accountable to their standards. It’s past time to demonstrate that our own professional guidance is every bit as important as that of other professions.
3. Ineffective Management of Relationships with Key Internal Audit Stakeholders.
Our stakeholders’ needs are dynamic, and they are rarely completely aligned. Unfortunately, we may not be meeting our stakeholders’ expectations as well as we believe. A recent survey of internal audit stakeholders by Ernst & Young reveals that only 59 percent of stakeholders rate their internal audit function as “very effective” or even “somewhat effective.” Another survey published by The IIA Research Foundation indicates that almost half of stakeholders believe that internal audit does not excel at developing talent for leadership positions.
In part, these dismayingly low survey statistics may be based on misperceptions about the role of internal audit. We need to step up our communications with key stakeholders, and we need to take a new look at how we are meeting — or failing to meet — their expectations.
4. High-profile Lapses of Internal Auditor Integrity.
Perhaps the biggest challenges we face as a profession are simply maintaining a strong ethical compass and doing the right thing regardless of the personal and professional consequences. In the current environment, any accusations against internal auditors can rapidly become public scandals.
Allegations of high-profile failures of internal auditor integrity at leading organizations such as Avon, Biomet, and Wal-Mart can hurt the reputation of all internal auditors. The potential consequences are severe, thus we must create an environment and oversight processes within every internal audit function that help ensure the integrity of internal audit personnel.
The concept of “trust but verify” should apply not just to our clients but also to internal audit departments. Our stakeholders deserve assurance about internal audit independence and auditor integrity. They should be able to expect transparency and robust reporting on internal audit plans and activities, and about the accomplishment of our plans. We need to ensure, well in advance of any potential failure of internal auditor integrity, that internal audit reporting lines and communications are open and candid.
5. Inadequate Concentration on High-risk Areas.
This strategic risk may be especially challenging for some audit executives in the financial services industry, where rigorous regulatory requirements for specific types of audits must be addressed. A sharp focus on key risks is imperative to ensure that internal audit adds value, but true risk-based auditing can be challenging when elements of the annual audit plan are dictated by regulatory expectations or requirements.
It is essential that we communicate clearly to management and audit committees the potential impacts when internal audit resources are insufficient to address unacceptable risks. It also is imperative to ensure we have a shared view of the specific risks and opportunities facing our organizations.
Unfortunately, this may be an area in which internal audit is out of step with other parts of our organizations. Recent stakeholder surveys rate operating risks and compliance risks as the most important risks facing organizations in 2012; yet a higher percentage of internal audit resources are used to address financial risks than either operating or compliance risks.
Just imagine what your audit committee would say if they received two separate annual risk assessments — one from internal audit and one from enterprise risk management specialists or other professionals — and the two risk assessments contained very different views of organizational risks. This is not merely a hypothetical situation; it has happened at quite a few financial services organizations in the last year alone.
If we are truly communicating effectively with management regarding significant risk issues, in the great majority of situations we should be able to come to a shared consensus regarding the most significant risks and opportunities facing our organizations. In some cases, we may find that management is aware of a risk that deserves more of our attention. In other cases, we may be able to explain to management why certain risks merit more of their attention. In either case, we can expect our stakeholders to have an increased appreciation of the fact that scarce internal audit resources are being allocated towards the most important risks.
In the past decade, we have made significant progress as a profession, but our work is not done. The internal audit profession can either define its own future, or we can be defined by the future. The coming decade will be a time of continued growth and progress for the internal audit profession while we capitalize on the successes of the past decade. But our success is not assured, and without taking a keen look at our strategic risks and opportunities, the advancements of the past decade could quickly be undone.
To comment on this article, email the FSA Times editor, Shannon Steffee, at firstname.lastname@example.org.