August 2013


Imagine the Possibilities!


The IIA’s new chairman of the board, Paul Sobel, says internal auditors need to envision new ways to add value to their organization, and the profession as a whole.


Half a century ago, the land underlying the municipalities of Lake Buena Vista and Bay Lake, Fla. was a largely unpopulated patchwork of cattle ranches, citrus groves, scrub forests, and alligator- and snake-infested swamps. But that’s not what the late Walt Disney saw in his mind’s eye when he overflew those 47 square miles, just south of Orlando, in November 1963. Instead, Disney saw a prime location for a family vacation mecca.


Disney died before he could savor the first fruits of his fertile imagination, the 1971 opening of the Magic Kingdom theme park. But his vision still is very much alive. The Walt Disney World Resort’s theme parks, golf courses, hotels, restaurants, retail stores, and other attractions now bring joy to nearly 30 million visitors each year.


This lore came to mind while I was on stage during The IIA’s 2013 International Conference — held a mere 10 miles from the Disney resort. I mused that although the practice and stature of internal auditing have advanced significantly since the Magic Kingdom’s grand opening, many of those gains are by-products of transcendent events. As I looked out at the roomful of internal auditors from around the world, it struck me that our profession is too important to the well-being of organizations and the global economy alike to leave its future direction to chance. So, I concluded, what better time than now for practitioners to channel their inner Disney and focus not on what internal auditing is, but rather on what it might be. Thus, as I assume the role of IIA chairman of the board, I have made my theme the challenge and rallying cry, Imagine the Possibilities!



The first formal Standards for the Professional Practice of Internal Auditing, approved by The IIA’s Board of Directors 35 years ago when I was still a college student, defined our profession as “a control which functions by examining and evaluating the adequacy and effectiveness of other controls.” The words risk, governance, and consulting were nowhere to be found in those pioneering standards. This expansion of our profession’s services portfolio came only in 1999, during my stint at Arthur Andersen’s Business Risk Consulting practice, when the IIA board approved the contemporary definition of internal auditing. Specifically, that new definition requires practitioners to help their organization achieve its objectives “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Imagining The IIA's Future

During my year as The Institute’s board chairman, I plan to work diligently with my fellow senior volunteers, global institute leaders, and IIA staff to complete and implement numerous initiatives that I imagine will shape the profession for years to come. Among these are:

Executing institute/chapter agreements. I expect every global institute and North American chapter to sign a new agreement with The IIA to better articulate the roles and responsibilities of each. Fulfilling this initiative will help ensure institutes and chapters will focus on best serving their membership, while The IIA supports those needs and advances the global profession.

Sharpening the board’s focus on risk. As we redefine the various governance roles within the IIA volunteer structure, we will be able to better tap into the broad experiences and diverse perspectives of members of our board to help advance the profession in an increasingly complex world.

Advancing advocacy. I will work to advance the International Integrated Reporting Council’s agenda for making financial reporting more comprehensive, get our International Standards for the Professional Practice of Internal Auditing (Standards) recognized by the global Financial Stability Board, and build close ties to associations that represent boards and audit committees.

Recasting the International Professional Practices Framework (IPPF). The foundation of our profession, the IPPF, may need to be restructured to meet our future practice needs. The study of this matter will require, in part, assessing whether the Standards are minimum requirements or aspirational, again reconsidering the definition of internal auditing, and evaluating whether there should be different levels of “strongly recommended” guidance.

Emphasizing certification. With the rollout of the new three-part Certified Internal Auditor exam and the new Certification in Risk Management Assurance exam, and further progress with the Certification Suite, I expect renewed emphasis on enhancing professionalism of internal auditors around the world by getting more internal auditors certified.

Identifying learning pathways. With the issuance of the new Competency Framework, focus now must turn to ensuring the availability of training and other global and local developmental pathways to help internal auditors achieve necessary competency levels.



Not long thereafter, internal auditors were thrust into the role of transforming the board’s vision of the profession into workplace actions. The governance debacles at Enron Corp., WorldCom Inc., and a host of other organizations roiled world financial markets just as I was assuming the chief audit executive (CAE) role at Aquila Inc., an energy company in Kansas City, Mo. These senior management-led financial reporting frauds, in turn, prompted many governments to enact remedial legislation such as the U.S. Sarbanes-Oxley Act of 2002.


These statutes — which, in general, require management to assess, attest to the adequacy of, and publicly report on the organization’s system of financial control — enabled our profession to showcase its control expertise. In fact, for several years, many internal audit activities were all but consumed by the tasks of helping guide management through its process of identifying and testing key financial controls and by providing independent, objective assurance that management’s test results were accurately reported. In 2004, my first full year as CAE at Atlanta-based energy company Mirant Corp., 75 percent of our internal audit hours were spent on Sarbanes-Oxley related activities.


The failures of numerous large financial institutions in 2008 triggered a global financial crisis that sparked a recession from which some nations still are struggling to emerge. Once more, many governments scrambled to enact systemic reform legislation, such as the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. And again, internal auditors gained prominence as regulators, audit committees, and other stakeholders began tapping our profession’s expertise in assessing the adequacy of organizations’ risk management processes and governance. I found that many of the risk management practices I learned at Arthur Andersen and honed at Aquila and Mirant were valuable in helping Mirant’s board and management become comfortable that they could weather the financial storm.



Many longtime practitioners and observers of our profession conclude that internal auditors have so capably seized the many opportunities to shine afforded them during the last 15 years that our profession is more widely respected today than ever in its modern history. Although I too observe this generally is the case, practitioners cannot afford to sit contentedly by and wait to see what hand others will deal them next. Instead, the time has come for us to imagine our profession’s possibilities and begin taking giant steps toward realizing them.


Merely beginning this process likely will have a salutary effect on internal auditors and their stakeholders — notably, senior executives and audit committee members. For example, imagining future professional possibilities should help auditors find ongoing fulfillment in their work and gain confidence that they can become indispensable to their organization. Stakeholder witnesses of the process should become more comfortable that internal audit is striving to provide the assurance and advice they need to help the organization achieve sustainable success.


IIA President and CEO Richard Chambers says internal auditors worldwide have five “must dos” during the rest of this decade and possibly beyond. These imperatives are a solid foundation on which to base imagined possibilities for our profession:

  • Embrace and leverage a continuous focus on risks. Risk assessment tends to be an annual activity; new risks often come to internal audit’s attention only after they have adversely impacted the organization in some way. I imagine it is possible to have more foresight than that, to be prescient enough to see risks emerging and alert management to their existence and implications before they cause harm. I imagine, for example, that auditors can find creative ways to tap into management’s monitoring of the external business environment, do their own research and monitoring, develop diagnostic tools, and brainstorm highly improbable “black swan” events.
  • Provide assurance on risk management. Organizations cannot achieve their objectives merely by reporting financial information accurately and complying fully with the laws and regulations that have sprung up around the world in response to financial reporting frauds and financial crises. They also must manage key strategic and operational risks effectively. I imagine internal audit activities are capable of providing executives and directors with assurance related to those and other key risks  and even going one step further by providing assurance on the adequacy of the risk management system as a whole.

    Although this latter activity may seem somewhat daunting and professionally risky, I envision that simply providing negative assurance — that is, being content telling the C-suite and the audit committee that “during the limited number of audits conducted this year, nothing has come to our attention to indicate risk management is not effective” — will be insufficient in the future. Instead, I imagine we must position internal audit as providers of positive assurance to stakeholders that “risk management activities are designed adequately and operating effectively to provide reasonable assurance that risks are managed to an acceptable level and objectives can be achieved.”
  • Enhance proficiency with data mining and analytics. The data being created, stored, and analyzed for business purposes is proliferating at an incredible rate — a phenomenon commonly referred to as big data. I imagine all internal auditors, not just the IT specialists among us, will begin learning how to access their organization’s data trove whenever they need it, creatively mine and analyze that data, and develop dashboards that not only will facilitate the audit process but also serve as continuous monitoring and strategic decision-making tools for management.
  • Secure a “seat at the table” during pivotal strategic and operational discussions by management. This imperative does not entail internal auditors making strategic and operating decisions; rather, it is about giving executives confidence they can make such decisions. Auditors must earn their seat at the decision-making table, and I imagine they can do so by sharing knowledge that will help management fully understand the risks inherent in its various strategic and operational action plans. This goes beyond understanding the “what could go wrong” risks. It also includes embracing and pursuing the “what must go right” risks. I further imagine internal auditors can provide assurance that their organization has the people, processes, and systems capabilities needed to successfully execute those actions and manage those risks.
  • Develop expertise in addressing key risks. The skills of many of today’s internal auditors are insufficient to meet the preceding four imperatives. I imagine all CAEs will ensure their staff possesses the diverse set of competencies now needed for success. These capabilities most notably include business and industry knowledge, risk acumen, technology skills, critical thinking skills, and creative problem-solving capabilities. I envision that fulfilling this task may require looking for new sources of talent, adopting different training sources and methods, and embracing novel ways of coaching and mentoring staff.

This list is far from comprehensive. Imagine, for example, the opportunities presented to internal audit by emerging technologies. Imagine carrying around only a tablet device while conducting an audit to access data anywhere — whether on a factory floor or in the C-suite. And imagine software capable of depicting every step in a business process, thereby enabling internal auditors to visually rearrange that process to enhance controls and improve efficiency.


There are undoubtedly many other good ideas for advancing the practice and stature of internal auditing that are beyond my own imagination. I look forward during my tenure as chairman to hearing from creative members of our profession around the world about the possibilities they imagine. I promise to share those thoughts with you periodically.



Anthropologists and psychologists tell us humans tend to feel comfortable and safe performing familiar rituals in familiar places. So it is not surprising many internal auditors  are quite comfortable practicing as they always have. But I cannot imagine how those who choose this approach can continue succeeding professionally in today’s dynamic business world. Conversely, those who dare to imagine possibilities can help create a future in which internal audit is viewed by stakeholders and society as an enabler of sustainable value. As Walt Disney once said, “All our dreams can come true if we have the courage to pursue them.”


Paul J. Sobel, CIA, CRMA, is vice president and chief audit executive of Georgia–Pacific LLC in Atlanta.


Also in this issue:


Share This Article:    

We can make the possibilities probabilities!
Paul. Looking at the five 'must dos' above, I believe they are desirable and achievable. I think they are interlinked by how internal auditors become involved with risks. For the first two points above, internal auditors need to ensure the organisation has a comprehensive register of its risks and then drive the internal audits from this register. This has an advantage in that it directly relates the audit work on internal controls back through the risks being managed by the controls to the objectives of the organisation. Thus it clearly ties the audit work to the organisation's objectives and therefore value added. It also provides internal audit with an objective means of assessing its effectiveness. At the start of the year it can agree a plan with the audit committee designed to provide an opinion on whether specified risks are being managed to within the organisation's risk appetite, which can constitute the department's target for the year. These risks will represent a certain proportion of the organisations total risks (say 25%). If the committee considers this percentage to be too low, it can require more audit staff. In other words there is now an objective means of deciding on audit staff numbers. At the end of the year, internal audit can report on the actual number of risks examined and the proportion considered properly managed (see my reply to Norman Marks blog on audit opinions). Thus the C-suite and audit committee gets an objective view on the management of risks and can see whether the internal audit department has achieved its objectives. There is certainly a need to consider data mining and the information which can be derived from it. In practice this can be related to risk management (my site at gives ideas). Internal auditors will secure a 'seat at the table' because the risks being examined will be at the very heart of the organisation's objectives. For example risks resulting from unsafe products, poor anticipation of market trends, bad investment decisions. One audit which I think is particularly relevant, which I instigated at my last company, is an audit looking at the process of board investment approvals. For example does the board paper contain clear objectives for the investment; a clear financial justification, independently audited and with a financial model (say using @RISK); are the risks of the investment clearly spelt out with the methods for managing them? Audits of this type address the risks threatening the very core of the organisation and will ensure a 'seat at the table'. As your last point makes clear, the big challenge for internal auditors is earning that seat by ensuring it has sufficient expertise. Risk based internal auditing is not easy (see for details). It does away with audit programmes with their easy staff budgeting; it requires much more involvement with senior management; it needs managing much more than compliance and systems auditing. It's a difficult, but ultimately, rewarding challenge!
Posted By: David Griffiths
2013-08-21 7:28 AM
Imagining the Possibilities - Public Sector Internal Auditing
As I read your article, I happen to be in Nay Pyi Taw, the newish Orlando-lookalike capital of Myanmar. Today I presented the possibilities and value intrinsic to professional internal audit to a keenly interested group of 29 public sector internal auditors. They, like their country, are making a serious effort to catch up with the rest of the world on so many fronts - including internal auditing. And so we dreamed a but of what might be, if professional internal auditing could just take root. My visit with Myanmar's aspirant public sector internal auditors is proof that a growing need exists in places like this as well as many other places less privileged than where I live. While the IIA needs to move ahead as a leader in the practice of internal auditing, please give thought to many in the public sector internal auditor community who do not have access to the internet, Orlando, and so much more. If we leave them behind, the profession really does not move ahead as far or fast as you and I believe it must. Graham Joscelyne
Posted By: J Graham Joscelyen
2013-08-08 7:59 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 


IIA OnSite_July2014



IIA SmartBrief




facebook IAO