Tomorrow's Internal Auditor

 

Neil Baker
Editor, Internal Auditing and Business Risk

(Originally published Dec. 2007)

Where is the internal audit profession likely to be in three years? If you asked that question back in 2000, many people would have predicted a move away from basic compliance work and forecast a future dominated by consulting assignments. But then there were a series of high-profile scandals, followed by the U.S. Sarbanes-Oxley Act of 2002, and everything it entailed. Many internal audit shops around the world — whether or not they were directly affected by Sarbanes-Oxley — refocused on "old school" financial controls auditing. The predictions about the future of the profession were wrong.

But that doesn't mean time spent thinking about internal auditing's future is any less important. "The alternative — sitting back and assuming things won't change — is not very attractive," says Rod Winters, president of The IIA Research Foundation (IIARF) and general auditor for Microsoft Corp. "We have an obligation to try and discern where the profession is going."

That's one of the goals The IIA has attempted to achieve with its Common Body of Knowledge (CBOK) project, commissioned by The IIARF. The survey underpinning CBOK provides a benchmark of where the profession is today, but it also pulls together auditor views from around the world—and from every flavor of organization — about how practitioners think internal auditing is likely to develop.

What does CBOK say about the future direction of the profession? Researchers are still analyzing the detailed data, but some big trends stand out (see "Bigger Workload, Broader Scope"). The focus of internal audit work is expected to shift, the kind of work auditors do — and how they do it — is likely to change, and the role of internal auditing is forecast to become more strategic.

ON THE SAME ROAD

One conclusion to draw from the CBOK research is that internal audit shops around the world are heading in the same direction, even if some are farther down the road than others. Local factors, such as regulation, will affect the way auditing develops, but the research shows that the big trends affecting the profession are global, Winters says. "We are all at different stages of the continuum," he explains, "but the themes, trends, and underlying objectives all seem to share a surprising amount of congruence."

In Turkey, for example, one local factor driving change is the expectation that the country may soon join the European Union. That's a unique encouragement for companies to invest in internal auditing, but the kind of improvements they are seeking to make would be familiar to auditors elsewhere.

Phil Tarling, who works on international audit and risk projects for accountants RSM Bentley Jennison, has helped develop internal auditing in Turkey as well as Estonia, Poland, and other places across central and Eastern Europe. He says that auditing practices in those countries are at different stages of development, but they are all on the same road. "The message is getting through that the auditor of tomorrow has got to be more focused on adding value—helping management," Tarling says.

For Özlem Aykaç, chief audit executive at Coca-Cola Icecek, an independent company that sells and distributes soft drinks across Turkey and other nearby countries, the three key priorities are corporate governance, risk management, and information technology (IT). In five years, Aykaç says he expects his team to be doing more consultancy assignments, more continuous auditing, and more specialty audits, particularly relating to IT, treasury, and mergers and acquisitions.

Those themes cited by Aykaç top the CBOK survey and resonate at other organizations around the world. Zhang Yu, vice secretary general of IIA-China, says over the next five years the focus of the country's audit shops will move from financial audit to operational concerns. Like other senior auditors around the world, she also sees a shift from investigating fraud to evaluating internal control, and from compliance auditing to performance auditing, IT auditing, and risk management. The skills that China's auditors will need to develop are also the same as elsewhere: those she sees in demand are IT auditing, investigation and analysis, performance evaluation, and interpersonal communications.

In Rome, Bambis Constantinides is director of the Office of Audit and Oversight at the International Fund for Agricultural Development, a United Nations agency. He says one of the big trends affecting the development of internal auditing in his shop will be an organizational shift to enterprise risk management (ERM) and a clarification of internal auditing's role in any resulting framework. He also expects to see internal auditing work more closely with the organization's other oversight functions and make much greater use of technology tools in audit assignments. "Advanced IT skills will become indispensable for all our auditors," he says.

A shift to ERM and an increasing role for risk in the strategic audit plan also are key trends influencing the development of Bill Middleton's audit shop in New South Wales, Australia. In five years, Middleton, director of audit and risk management for part of the local state government, says his audit shop will be more focused on strategic issues and less involved in more mundane financial audit projects. "Our staffing mix and skills will be different," he explains. "The audit profile is currently moving to more of a consulting role with less emphasis on the traditional financial audit activities. Having invested a lot of time over the last few years improving the organization's governance and control mechanisms, we are now in a position to assist further in streamlining operations and adding value in the consulting capacity." A focus on strategic risks and an increased use of IT tools will require auditors with new skills, he says. "We need people with business analyst, workshop facilitation, consulting, and risk management skills."

Internal auditors affected by Sarbanes-Oxley say the legislation will remain an important influence over their future workload, but the nature of that influence could change. Kiko Harvey, vice president of internal audit at Starbucks, the coffee-shop chain, predicts that organizations will want to bring in house more of the Sarbanes-Oxley compliance work that their external auditors currently do, now that revised guidance allows such firms to place greater reliance on the work done by corporate functions. Much of that work is likely to fall into internal auditing's lap, simply because internal audits cost less than external audits.

The result, says Harvey, is that internal audit functions are likely to grow. "But I don't think we're just going to grow to work on Sarbanes-Oxley," she says. In fact, as companies get used to complying with the legislation, the burden on internal auditing should ease. "When we grow, we're going to be taking on a lot of consulting-type engagements," she says, such as financial due diligence on acquisitions or auditing contracts.

"These are things that we used to outsource, but that expertise will transfer to internal audit functions," Harvey says. As the workload and scope of audit work increases, it will make more sense to recruit specialist expertise to the in-house shop, rather than buy it when needed, she predicts.

This is already happening at Starbucks. "We are seeing a reduction in the reliance that we put on our cosourcing partners," Harvey says. "We do cosource, but we do it differently now. We used to cosource because we didn't have the expertise to do some of the larger jobs, so we would rely very heavily on the planning and resources of our service provider. Now I expect to see them working more on advisory services — changing the way we do our work and leveraging their thought processes into bringing the function to the next level." Instead of bodies or expertise, she wants ideas about how to add more value.

The focus of the Starbucks audit shop is changing, too. "A lot of internal audit functions, ours included, tend to say 'what is management's policy, what does management think people are doing?' and then we check to see if they are doing it," she explains. "In the future, we will be looking at playing a bigger role in evaluating whether that policy was right to begin with." Harvey also wants to look at new areas, such as the quality of information managers rely on when they make decisions and the performance indicators they use to guide the business. "We want to evaluate those factors that maybe are not financial, and maybe are not as easy to audit, but that need to get looked at," she says.

As the Starbucks audit function grows (it has 16 posts currently), Harvey expects it to move to a more global footing, a trend that will affect other shops too, she says. "We are going to be managing international audit functions where not everybody is located in one central place. Managing a worldwide audit function is going to be very different," Harvey says, predicting more remote working, fewer face-to-face meetings, less "looking into the eyes of the client," as long as it doesn't damage the quality of the work. "The technology that is available to us now is going to change our place of work," she says. Middleton sees the same change. "We spend considerable time traveling to our clients in remote parts of Australia," he says. "Video conferencing and electronic whiteboards combined with advances in our IT systems will allow us to be better connected to remote staff and clients while having more analytical power to drill down to key issues online."

A CLOSER LOOK AT RISK

Clearly, these auditors are thinking hard about how to meet the future assurance needs of their organizations. But might the wider value proposition of internal auditing change, too? Dick Anderson says he thinks so. Anderson is a member of the IIARF's Board of Trustees and a partner at PricewaterhouseCoopers (PwC). The firm has recently produced its own research into the future of internal auditing, which asks where the profession might be in 2012 — a more distant horizon than the CBOK study. The headline finding is that two distinct models of internal audit value are emerging, Anderson says.

The first of these is a continuation of what most internal audit shops do now: providing assurance around the adequacy of the internal control system. Internal auditors might do a risk assessment to decide what to audit, but their work is clearly focused on controls. In the PwC study of Fortune 250 companies, many still saw this as the way forward. But other audit shops saw themselves going down a different path.

Those auditors said Sarbanes-Oxley had given their organizations a much clearer focus on controls and improved the standard of control monitoring work done by managers. That hasn't made their controls assurance work redundant, but, Anderson says, "If all internal auditing is bringing to the table is more assurance around controls, that's probably not a value proposition that enhances internal auditing at all."

Looking for new ways to add value, these audit shops have landed on a different way of thinking about risk, Anderson says. They still look at risk as a driver of where to direct their audit efforts, but they are also finding ways to provide more assurance around risk management processes. "That kind of work has been part of The IIA's definition of internal auditing for years, but it's been very rare to find people doing it," Anderson notes.

Anderson says this trend of providing assurance on risk management processes is genuinely new. It's not the same as risk-based internal auditing, it's not limited to U.S. companies that have been through Sarbanes-Oxley, and it's not something that auditors from only large corporations can attempt. "Large companies are leading the way, but over time they will bring the rest of the population with them," he says. "As big internal audit groups develop different approaches, skills, and tools, there will be a trickle-down effect and we'll see smaller organizations move in the same direction." In practice it involves getting a much better understanding of the organization's risk profile, finding ways to spot changes in that profile much more regularly, and addressing new kinds of risk, such as reputational or strategic risk. "These risks are very significant to the company but are not the areas internal auditing traditionally looks at from a control standpoint," he says.

Patricia Miller, a partner in Enterprise Risk Services at Deloitte & Touche in Oakland, Calif., also believes internal auditors will change the way they think about risk in the years ahead, but she offers a different emphasis than Anderson. Auditors will focus on the vulnerability created by a risk, rather than the probability that it will arise, says Miller, who is a member of The IIA's Executive Committee.

Right now, the focus is on probabilities as a way of targeting audit effort, "but if you are doing an internal audit risk assessment and thinking about impact and likelihood, you are probably ending up with the wrong set of risks to focus on," Miller says. "Some low-probability risks have blown companies out of the water."

Focusing on vulnerability — the residual risk — "is a different way of thinking about how you focus your audit plan," she says. "And once you've focused your audit plan, it can guide you to what kind of audit you should do. Should it be more assurance based, because you believe you have low vulnerability, or a proactive, consultative kind of audit where you help to design controls, because you are currently very vulnerable?"

That's neither away from compliance nor toward consulting. Proactive risk management can help to determine the best balance of compliance and consultative auditing, says Miller, stressing that audit shops have always had to balance these two approaches — what she calls protecting enterprise value and enhancing enterprise value. In the early 1980s, internal auditing was a compliance activity, but it gradually shifted its work to value-adding consultancy, she says. Some audit shops recruited people with masters-level business degrees rather than accounting degrees. "Then with Sarbanes-Oxley it shifted all the way back over very quickly," she says. Many audit shops affected by Sarbanes-Oxley found they didn't have enough people with financial control skills.

Miller says the key word for the future is "balance." "You don't want to do all compliance work, nor do you want to focus exclusively on helping the business to do better. You have to balance both of those because that is where you are going to provide the most value to the shareholders," she explains. "There's nothing new about that."

A BAROMETER OF THE PROFESSION

This kind of gazing into the future is an inherently subjective exercise, and one fraught with risk. Nobody knows where the profession is heading, not with any certainty. CBOK is a subjective exercise, too, but its conclusions are at least amalgamated from the views of more than 9,300 internal auditors in 89 countries. Its findings are enormously valuable, says the IIARF's Winters. For one, they provide an opportunity for The IIA's global staff and volunteers to validate their thinking about the trends that will affect the profession. They will also filter into plans to develop new standards, training, tools, and services. "All of these elements are important to the success of the profession, and CBOK is a good indication of where we are on the right track and where we need additional work," he says.

To comment on this article, e-mail the author at neil.baker@theiia.org.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP