IIA President and CEO Richard Chambers reflects on the audit profession’s recent challenges and helps define the way forward for practitioners.

Some distinct trends stand out. But to understand where the profession is going, auditors first need to consider where they’ve been and view the impact of the financial crisis in that longer-term context.

The internal audit profession has been on a thrilling ride over the past 10 years. To provide the value stakeholders demand, internal auditors have had to be quick on their feet, adapting rapidly to changing needs and expectations. They’ve needed the professional acumen, character, and skills to navigate unfamiliar waters. The process has been challenging, but that’s one reason why internal auditing is such a rewarding career.
 

I surprise myself sometimes when I remember that the current professional definition of internal auditing is only 10 years old. It’s easy to forget what a big leap forward auditors took when, in 1999, practitioners agreed that their role was to be an independent and objective activity focused on risk management, controls, and governance. That new definition opened exciting doorways for internal auditors around the world.

Back then, most internal auditors were not performing many of the activities that audit shops today would regard as commonplace. In particular, the new definition empowered auditors to spend much more time looking at risks and thinking about risk through a much wider lens. Audit shops started routinely performing their own assessments of enterprise risk and used them to allocate their resources. Many IIA members also started to act more like consultants, using their risk and control skills to help management identify business solutions. Internal auditors were comfortably transitioning into a new model that emphasized the value added by the profession in a flexible framework of service delivery.

But it did not take long before everything changed again — or at least it did for many audit shops. The early years of the last decade saw a series of remarkable corporate failures, mostly involving senior executives who “cooked” the accounts. The fate of companies such as Enron, WorldCom, and Parmalat prompted regulators around the world to get tougher on financial reporting controls. The United States passed the Sarbanes-Oxley Act of 2002, which affected any business with a U.S. listing. Many other jurisdictions introduced similar measures.

Management may have resented the onerous challenges of complying with this kind of regulation, but it gave internal auditing an unprecedented boost. Some people have referred to laws requiring assertion on the effectiveness of financial controls as “full-employment acts” for internal auditors. These laws also raised the status and independence of chief audit executives (CAEs). Suddenly, internal auditing was a hot profession.

But there was a downside to the profession’s growth. In the aftermath of the accounting scandals, many internal auditors shelved the idea of providing consulting services or looking at wider risks. Suddenly they returned to their roots, focusing virtually all of their resources on financial controls. From a pure risk perspective, that shift in focus was necessary at the time; the consequences of discovering a material accounting error were severe. But many internal audit shops became too focused on this one important, yet narrow, area of activity. Some worked almost exclusively on Sarbanes-Oxley compliance, leaving areas such as operations, strategy, and the quality of risk management open and vulnerable.

This intensive focus on financial controls could never persist. As companies navigated the learning curve of complying with financial control laws, the need for so much internal audit scrutiny was beginning to taper off. By 2007, many companies were already rethinking what kind of audit shop they needed, how big it had to be, and what kind of skills and experience it needed to contain. Forward-thinking CAEs were asking themselves the same questions.

And then the financial crisis hit. Some appalling risk management practices had been allowed to develop within many organizations, particularly in the financial services arena. Management secured extraordinary latitude to define risk appetite and accept risks, corporate governance models did not do enough to emphasize the board of directors’ role in risk management, and little was done to mitigate certain high-impact but low likelihood risks. Over the last 18 months many companies, and the global economy, paid a severe price as a consequence of these failings.

Predictably, stakeholder expectations have changed again. When I meet audit committee chairmen, I like to ask them what they want from internal auditing. Most often, especially in North America, the answer is, “No surprises!” Shocked by what they have experienced during the last 18 months, they want their internal auditors to help the company avoid the unexpected. Perhaps that is an unrealistic expectation, but it is a real one and — as has always been the case in the past — it is one to which audit professionals must be prepared to respond. It is time for internal auditing to refocus again.

Internal auditors’ first response to the changing circumstances must be to ensure that their audit coverage meets current expectations. Regulators around the world are working on plans to make boards more accountable for risk management oversight. The United Kingdom and South Africa have already updated their corporate governance codes to call on public companies to create specialized, board-level risk committees that work alongside their audit committees. In the United States, the Securities and Exchange Commission recently approved new disclosure requirements on the board’s role in risk management, and U.S. legislators and regulators are working diligently to design additional guidance that will hold boards accountable. And with the risk spotlight shining brightly on directors, who will they turn to for assurance about the integrity of their risk management systems? Their internal auditors?

I’m confident that internal audit professionals can perform this role, but they cannot assume it is theirs by right. Other governance-related functions might try to step in instead. Or the board might not see internal auditors as the logical source of such assurance. Internal auditors need to make their organizations aware of what they can contribute.

Auditors might also lose ground through their own failure to step up to the plate. I have heard from internal auditors who are uncomfortable about taking on this kind of role. They don’t know if they have the skills and status needed to provide board-level assurance on risk management. But internal audit professionals have a deeper understanding of risk management in their enterprise than any other assurance provider. The need to perform risk assessments has been an integral part of The IIA’s International Standards for the Professional Practice of Internal Auditing(Standards) for more than eight years. Moreover, internal auditing is the only assurance function that combines independence and objectivity with the necessary in-depth knowledge of the organization — auditors must leverage that combination to provide risk management assurance.

Internal audit shops also need to realign their audit planning. The risks facing organizations today are dramatically different than what they were before the crisis. Familiar risks such as fraud, supply-chain failure, and expense containment always need more attention during a recession. But the crisis has exposed other areas that could benefit from internal audit coverage — what risks exist in the way the business makes decisions or determines strategy, for example? Is the management culture conducive to sustainable, long-term success? Are organizations designing and implementing necessary controls to conform with new environmental sustainability mandates? Addressing such questions has become increasingly important, though it likely represents unfamiliar territory for many internal auditors.

And these factors give rise to another imperative: Auditors need to make sure they have the skills needed to provide the new kinds of assurance their organizations require. When internal auditors were focused on financial controls, audit shops employed a large proportion of professionals with accounting backgrounds. But if practitioners are to examine operational, strategic, and business risks more closely, do audit shops need to employ people with different skills and wider experience? Every shop will have to give its own answer to that question, but none should avoid thinking about it. I’ve already heard rumblings about this issue from board directors and senior executives. Increasingly, they are voicing a concern that “internal auditors do not understand the business.”

Any audit functions that lack com-mercial acumen or operational experience can plug the gap. They can recruit people from a wider range of backgrounds or bring managers in from other parts of the business — either as permanent staff, as part of a management rotation program, or even as a short-term “guest auditor.” They can also leverage the assistance of external service providers to address specialized needs where staff skills may be lacking. The key is to be creative in addressing the emerging needs of the audit shop.

Those internal audit functions that become more involved in risk management improvement will need to be careful about what kind of work they do. With their skills and experience, internal auditors can bring a lot to the table. For example, they can help managers identify risks and advise on suitable controls. But they shouldn’t start taking actual responsibility for risk management — that is management’s role. The dividing lines between what internal auditors can and can’t do — if they are to preserve their independence — can be hard to navigate. Auditors need to explain their position to management with care, so that they can play a constructive role while maintaining their professional integrity and complying with the Standards.

The IIA–UK and Ireland has published some relevant guidance on this point — The Role of Internal Audit in Enterprise-wide Risk Management. This document describes risk management activities that auditing can perform, those it cannot, and those that are permissible if safeguards are in place to protect independence.

As if realigning audit activities to meet changing expectations were not a sufficient challenge, internal auditors also need to find ways of delivering assurance with fewer resources. In short, they need to do more with less. That means they need to innovate and find “capacity multipliers” — that is, strategic investments or new practices that can exponentially affect auditing’s ability to deliver assurance. One common multiplier, for example, is to make better use of technology.

Before taking my current role as president and CEO of The IIA, I worked at PricewaterhouseCoopers, where I helped lead a research project called Internal Audit 2012 that looked at the future of the profession. The study found that the ability to use data mining and analysis tools was the No. 1 attribute that CAEs believe internal auditors will need over the coming years. Critically important, this attribute will enable internal auditors to quickly evaluate thousands or even millions of transactions and to identify anomalies.

During tough economic times, management looks for ways to cut costs and improve the bottom line. It’s not surprising that the current crisis has brought about painful and difficult decisions with regard to staffing issues, some of which have affected internal audit head count. But if audit functions find the need to cut, they should do so with an eye to the future.

“Salami-slicing” staff budget by removing 10 percent across the board, for example, might not be the best approach. Taking a strategic view of resource needs, CAEs might find they have a surplus of people with skills that they don’t need in abundance. If the audit shop is likely to be doing less financial control work, CAEs might want to take that into account.

Another common way of cutting head count is to not replace staff members who leave. But audit functions need to view this method strategically, too, as turnover tends to be higher among certain kinds of auditors. Those with advanced IT skills, for example, change jobs more often, so a policy of attrition could leave the audit function with a shortage of IT specialists. If the audit function doesn’t require as many people on staff with those skills, that might not be a problem. Nonetheless, CAEs should weigh such considerations before adopting a staffing strategy.

Now is not the time for the internal audit profession to be complacent or defensive. In most places around the world, organizations are not required to have internal audit functions — they do so by choice. Some jurisdictions mandate internal auditing for certain kinds of businesses and for public bodies, but even then they do not tend to be especially prescriptive regarding the size of the function, what it should do, or what kind of professionals it should employ. For this reason, internal auditors often need to rejustify their resources, or unfortunately even their existence. Before the financial crisis, I saw some pretty esoteric arguments about how internal audit work contributed value to organizations. In these tougher times, the people who determine organizational budgets are looking for more concrete reasons to resource a strong and vibrant internal audit function. Consequently, auditors need to find ways to add value to the bottom line and evidence that they are doing so.

I advise auditors to start by targeting the “low-hanging fruit” — audits that generate measurable financial savings. Ripe areas for review tend to be contract administration, supplier fraud — such as duplicate invoices and fraudulent bills — third-party or co-sourcing provider usage, overtime payments, and IT infrastructure spending. This kind of nuts-and-bolts, cash-saving activity will certainly reinforce internal auditing’s value to chief financial officers and CEOs, but internal auditors need to make sure they maintain their stature with the audit committee too. Efforts to deliver bottom-line value should not detract from internal auditing’s high-end, strategic assurance.

Internal auditors should remember that, for many audit functions, access to the audit committee and the chairman’s office is still rather new. Involvement in financial control work, which was a key focus area for audit committees in the past decade, opened doors that were once closed to internal auditing, and it gave many CAEs “a seat at the top table.” Internal auditors have earned their place, but they must not take it for granted.
 

If, having realigned audit coverage, practitioners find that they are spending less time on financial statement controls, there is a risk that audit committees will start to feel audit work is no longer relevant to them. Auditors must not allow committee members to shut the door in their faces — not because it would bruise their egos, but because the nonfinancial risks that auditors are likely to be spending more time on in the future are vitally important. Audit committees have increasingly full agendas, so internal auditors will need to work extra hard to make their voices heard.

One way of attracting committee members’ attention is to make them aware of internal auditing’s risk expertise. Most audit shops are comfortable with the idea of performing risk assessments and using them to direct audit resources. However, this exercise tends to be performed on an annual basis, with perhaps a few interim reviews to ensure that the assessments are still correct. Going forward, internal auditors will likely need to conduct risk assessments far more frequently.

Basing audit plans on an annual snapshot of risk is like relying on a security camera that films once a day for five minutes. Internal auditors need to recalibrate their audit efforts continually so they align with the shifting risk profiles of the organization — that is the only way of beginning to deliver the “no surprises” assurance that audit stakeholders are looking for. And it should also help secure top-table access, as it will enable internal auditors to position themselves as the only independent function that has a finger on the risk-pulse of the organization.

While setting out to meet these challenges, auditors should be sure to recognize the importance of professional standards and guidance. In rapidly changing times, The IIA’s International Professional Practices Framework should serve as the audit practitioner’s touchstone. Auditors should make sure they understand the framework’s content and implement it in their daily work.

I’ve been an internal auditor for virtually all of my adult life. I’ve served in many roles over the past 35 years, and I’ve seen the cycle of recession and recovery many times over. Many changes have occurred in that time, but one truth about internal auditing has endured: This has always been an evolving, growing, and maturing profession. Practitioners should enter this new decade with optimism and a commitment to build on the success that has led to internal auditing’s current stature.

To comment on this article, e-mail the author at richard@theiia.org.

---

Value of Internal Auditing is must for growth of Organization in a whole
I am 100% agreed on the value and need of Internal Auditor's role is must in recent years for grow,financial stability and prevantation of fraud from the organization.
Posted By: chandra sekhar sahoo
2010-04-08 6:29 AM

---

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---