control, and governance
control, and governance
June 2004
On the Road of Change
It’s been five years since The IIA adopted a new definition of internal auditing. Several of the profession’s thought leaders reflect on this milestone and discuss its place in audit history.
Christy Chapman
Former Executive Editor, Internal Auditor
In the late 1990s, the IIA’s guidance task force (GTF), a special committee of The Institute charged with examining the adequacy of current professional standards and guidance, set forth a much debated and contemplated revised definition of internal auditing. During the 60 years since the original definition was published in The Institute’s Statement of Responsibilities of the Internal Auditor, the practice had evolved in response to changes occurring within the profession and in the organizations it served, shifting from strict internal control appraisal and analysis to a broader spectrum of activities that added continuous value to organizations and helped improve operations. As a result, a new description was needed that more accurately reflected the profession’s direction.
In working toward the new definition, the GTF also realized that as the pace of change accelerated, which it was sure to do, internal auditors would need to visualize and seize emerging opportunities for meeting the organizational needs of the new millennium. It therefore sought to describe the profession and its goals in a way that would enable internal auditors to embrace those opportunities, thereby securing internal auditing’s place in the 21st century.
In June 1999, The IIA adopted the GTF’s recommended definition: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. To commemorate the fifth anniversary of this event, Internal Auditor asked several of the profession’s thought leaders to reflect on how the field has changed since that time. Their responses reveal a profession that has once again stepped up, adapted, and found firm footing for meeting the ever-increasing demands of the modern organization.
Larry Rittenberg, PHD, CIA
Original Member of the Guidance Task Force
Professor of Accounting, University of Wisconsin School of Business
Madison, Wis.
I think practicing internal auditors have become much more professional in the way they conduct their work. That, in turn, has led to greater acceptance of internal auditing by the upper echelons of the organization, such as executive management and the audit committee. Certainly some of that increased recognition is due to Sarbanes-Oxley. But, it is also the result of the new definition establishing a base from which internal auditors could step up and be accepted as professionals, on par with outside professionals such as certified public accountants in public accounting firms.
During my interactions with people at IIA meetings, I’ve noticed a sense of pride among internal auditors; a sense that they belong to a profession that exists outside their organization, with established standards and recognition, and that they owe some allegiance to this profession in terms of its standards, ethics, and so forth. They also take pride in the value they add to the organization. Being recognized as an integral part of governance, risk management, and control processes, as opposed to being an independent appraisal activity that serves management, can have a profound effect on an auditor’s pride.
Our level of professionalism and recognition may not have come as far as some practitioners would like, but I certainly see great strides in these areas compared to 10 years ago. When I talk about internal auditing in class, my students are enthusiastic and interested in joining the profession. A decade ago, few students were interested in internal auditing. I’ve also noticed that the quality of those practicing the profession seems to have improved. I can’t say that it’s due only to the definition, but the definition created a framework for that to happen.
There are dangers associated with becoming too critical of the definition, just because the term consulting is suddenly out of vogue. We shouldn’t lose sight of the fact that internal auditors need to be value-added and that we can identify ways to improve operations. I think that any current negativity associated with the definition is just spillover from the U.S. Securities and Exchange Commission and others cracking down on the consulting services provided by the Big Four accounting firms. It raises the question of whether internal auditors can be independent and perform consulting activities at the same time. A lot of people react to that issue without looking at the provisions we built into the International Standards for the Professional Practice of Internal Auditing (Standards) to protect against a conflict between these two goals. It’s important that we look at the Standards that accompany the definition.
|
Origins of Change Hubertus M. Buderath Changes have occurred in the corporate audit department of DaimlerChrysler during the last five years, but they have not come about only because of the new definition. In many ways, the revised definition was a consequence of developments that were occurring in the internal audit function of many large companies, especially the global players. The new definition reflected those developments. Therefore, it can be difficult to discern the chicken from the egg. That said, many facets of our department have changed since the revised definition was issued. For example, our audit universe, in the past, centered on compliance checking and control methods. Today, it encompasses virtually all functions, business units, and projects in the company, and it focuses strongly on looking toward the future. Previously, our processes focused on accounting methods, but we now look at all core processes in the company. Our products have expanded beyond traditional audits to include consulting services and techniques such as control self-assessment. The scope of audits with regard to compliance has also changed; not only compliance with internal control standards or policies, but also with international laws, internal rules, and regulatory requirements. For example, we now need to review for consistency with the Global Compact, a declaration on social responsibility raised by the United Nations, as well as Organisation for Economic Co-operation and Development and Transparency International conventions concerning bribery. Of course, there are also issues raised by the U.S. Sarbanes-Oxley Act of 2002, to which our company and several other German firms are subject. |
Howard Johnson, CIA, CPA
Vice President Internal Audit
Lowe’s Companies Inc., North Wilkesboro, N.C.
One of the greatest changes that has occurred within the profession relates to a part of the definition that wasn’t altered very much — the focus on evaluating the effectiveness of internal control. That activity has become much more significant to management. They want to know that the organization’s fundamental control infrastructure addresses the enterprise’s significant risks and is working as it should. Nobody wants any surprises about the fundamentals. Instead, management wants a professional internal audit staff to catch the problems while they are small so they can be addressed before developing into a destructive force.
In this sense, we’ve gone back to the basics. Those parts of the definition that represent the control fundamentals are getting more attention now than the elements that were en vogue five years ago, such as consulting and value-added services. For example, we’re paying a lot of attention right now to financial risk. Five years ago, most internal audit staffs devoted little time to addressing financial risk issues and spent at least half their time looking at operational risk. Fortunately, the new definition was designed broadly enough to let auditors move from one area of risk focus to another and still audit in concert with the definition.
Another significant development over the years has been that, to remain independent and objective, more and more internal audit staffs are no longer reporting to the finance function. Increasingly, they are reporting to the audit committee, the chief executive officer, or another function that is completely separate from finance, like general counsel or the chief administrative officer. When I was chairman of The IIA, I remember being concerned that when internal auditing reports to finance, it gives the appearance of a scope restriction in our work. Now, with Sarbanes-Oxley and other regulations, combined with audit committees’ desire to receive an independent read of how well the finance employees are doing their jobs, it makes a lot of sense for internal auditing to report to some function other than finance. CAEs who report to the CFO will probably become the minority soon.
Finally, we’re a much more “in demand” profession compared to five years ago, but unfortunately there aren’t enough practitioners who really know what it takes to meet the demands of today’s business world. Practitioners with the type of skill sets required to maintain a truly professional internal audit staff these days are a scarce commodity. Simply stated, now that we’re in the limelight, we have to produce.
Jack Krogstad, PHD
Original Member of The IIA’s Guidance Task Force
Dean for Graduate Programs, College of Business Administration
Creighton University, Omaha, Neb.
I don’t think rewriting the definition changed what most internal audit shops did or thought. So much of what internal auditors do, at least in large organizations, is dictated by that particular organization’s culture, traditions, and organizational structure. And changing the definition is not going to generate a sweeping change in how a major company looks at its internal audit department.
However, we had defined our market pretty narrowly with the old definition, and the new definition does broaden the territory in which we can legitimately add value. Its key concepts are far more open and create awareness that internal auditors can play more diverse roles than commonly perceived. Confronted with this new definition, executive teams might be inclined to use the audit department in ways they previously wouldn’t have considered; or perhaps they might staff the internal audit function a bit differently as a result. Maybe the definition also created some sense among internal auditors that they could broaden their horizons and led to more proactive or aggressive thinking as opportunities and challenges arose.
I’m not sure where the credit lies, but internal auditing has certainly become a much higher profile profession in the last five years, and the definition helped focus us higher in the organization. The emphasis on risk management, control, and governance ties us much closer to the executive functions than analysis and appraisal did. And when you add the recent high-profile fraud cases, Sarbanes-Oxley, and the re-envisioning of the control process over financial reporting as a value-adding component of the organization, the upshot is the elevation of an area in which internal auditors traditionally have possessed a great deal of competence. Although these circumstances represent an outside force that none of us expected, the definition was consistent with this movement, and it didn’t hinder or prevent the internal auditor from meeting the challenges that ensued.
Essentially, the definition permitted us to rise to the challenges that this particular era in history brought our way. We removed some of the blinders and limitations that previously had hindered the profession’s development and positioned ourselves to grab opportunities and meet the challenges that confronted our organizations. Through IIA offerings, publications, articles, and courses that embrace the themes of the new definition, we fortuitously enhanced our skill set along those lines. The new definition opened minds within the profession and in some ways prepared the soil for the seeds of opportunity that have emerged in the last five years.
Dave Richards, CIA
President, The Institute of Internal Auditors Inc.
Altamonte Springs, Fla.
In 1997, consulting was a revolutionary concept. The definition called upon audit practitioners to step up to the plate to provide a different kind of audit service. Some audit shops were already doing that type of work, but by and large that part of the definition represented a significant change.
Then came the Enrons and WorldComs, which caused some to question whether or not internal auditors should do this type of work because external auditors have been precluded from providing such services to their clients. Others, like myself, view internal audit consulting as process improvement, as opposed to the type of consultancy that might be provided by a third party. Through consulting, we leverage our knowledge, skills, and abilities and are able to become involved in activities to which we might not otherwise have the opportunity to contribute. If we precluded consulting work, we would be prevented from adding value by looking at controls as they’re being developed or evaluated. That piece of the definition was a trendsetter, and it continues to be a point of decision regarding the profession’s future direction.
It’s hard to say that every internal audit shop is better today than it was five years ago, but most have improved. The events of the last five years have resulted in real advancements in terms of the scope of work we perform, the product we produce, the service we provide to our internal customers, and the recognition we receive from senior management and the audit committee. We are much more engaged with the organization’s issues, objectives, and performance than we were in the past. There is certainly a trend to move more toward subject matters that will address the needs of the business and to get involved rather than to stand by and watch events unfold.
Robert McDonald, CIA, CGAP
IIA Chairman of the Board
Director, Internal Audit
Department of Natural Resources, Brisbane, Australia
The individuals who worked on the definition are to be applauded for reflecting aspects of the profession that were important five years ago and continue to be more than relevant today — namely risk, control, and governance. As I’ve traveled around the world during my year as IIA chairman, I’ve heard these three issues mentioned repeatedly with regard to their importance to organizations, governments, and other professional policy setters. As a profession, we recognized their significance before the rest of the business world did, before Enron and other debacles.
The definition certainly helped us refocus on risk management. We’ve come to see it as more than just an audit tool for determining where we should be concentrating our efforts, but also as part of a companywide risk-management process. Additionally, there is recognition that internal auditing should be reviewing the governance structures within the organization. If breakdowns in governance or a lack of enterprise risk management (ERM) are identified, then internal auditors are stepping forth as the corporate conscience and saying to senior management and the audit committee that these issues need to be addressed. In some instances, we’re seeing the internal audit shops actually kicking off ERM processes and then transferring them to responsible parts of management. That’s not a common practice, but some audit groups see ERM as so important that they’ve taken it upon themselves to get the process started in their organizations and demonstrate to management and the audit committee that it produces positive results. Then ERM can be moved over to become part of the organizational culture and process. At the end of the day, the ownership for good risk assessment and good risk management lies with management, but — as the definition points out — internal auditing has an oversight role
|
A Shift in Focus Naohiro Mouri, CIA, CPA |
James Roth, PHD, CIA, CCSA
President, AuditTrends
Hastings, Minn.
Because the revised definition reflected changes that were already occurring in the profession, internal auditing would have continued to move in that direction without it. However, the definition compelled a lot of risk-averse internal auditors, who don’t want to do anything unless there is firm grounding for it, to move more meaningfully and aggressively in that direction.
After Enron, I was afraid we would be pushed back 20 years to testing invoices of accounts payable all day long. Fortunately, the fallout hasn’t had as much of a negative effect on the definition’s value-added directions as I first feared. Certainly audit departments are focusing more on financial controls than before, but that’s because it’s the best way for many departments to add value right now. Once Sarbanes-Oxley and other regulation-related evaluation processes are put in place, they will become an integral part of the business, and this type of work won’t occupy nearly as much of our time as it does today.
On the other hand, the general movement of finding ways to provide assurance beyond traditional audits — through services such as control self-assessment, internal control training programs, and various kinds of assurance-related consulting — will continue to expand. Audit committees need assurance with regard to the control environment. And we are in the best position and have the best tools to give them the information they need to be able to sleep at night. We are the only group of professionals who are both part of the organization and independent of it at the same time, as well as paid to think critically about the organization.
One aspect of the definition that I would probably change now is the equal weight placed on assurance and consulting. I completely supported that arrangement at the time the definition was released, because it made a statement that was needed to raise our stakeholders’ expectations of internal auditing. It also helped persuade auditors who were too concerned with being independent to move toward providing those types of services.
Although a lot of people in the organization can provide consulting, internal auditing is the only group that can give assurance. That has to be the core of what we do — it’s what we’re there to accomplish. We should always be trying to improve the business as we perform evaluations, and we should have some room in our budget for pure consulting projects. But because assurance and consulting are given equal billing in the definition, consulting could be interpreted as being afforded the same priority as assurance work, although I don’t know that this has been applied in practice.
Hans Spoel, CIA, CCSA, CGAP
Internal Audit Expert – European Commission Audit Progress
Committee
Director of Group Audit Services
Alcatel SA, Paris, France
For those audit shops that were providing advisory or consulting services at the time the new definition came out, I think it legitimized their approaches. It allowed them to feel more comfortable and to take a more outspoken position regarding consulting work. But I honestly don’t think the definition changed the profession in that regard for auditors who had not migrated beyond operational effectiveness and efficiency. I don’t think it spurred them on to become more advisory in nature. Audit professionals who continued to provide traditional audit services did so because of the culture of the organizations in which their function operated. That wasn’t going to change just because some vision or definition did.
In addition, when the new definition was released, we were approaching an economic downswing, and in general consulting wasn’t an option because people were not growing their departments. Once the recent spate of regulations began taking effect, we were forced into a position of showing management that we have adequate coverage of the audit universe. For Sarbanes-Oxley, that coverage extends only to controls over financial reporting. But in France, the Loi de Sécurité Financière, the French equivalent of Sarbanes-Oxley, defines internal control in its broadest concept to include financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. Demonstrating coverage of the full scope of internal control has become the heart and soul of my business. That makes finding time to devote to advisory services an even more daunting task.
To many people, including myself, the definition is more of a vision statement than a status statement. It provides an ideal to which the profession can aspire. But the closer you are to that vision, the more unhappy you might be because of the shift away from advisory services. I hear a lot of people say that we’re back in the dark ages, which I see as inappropriate negativism. Our profession goes through cycles. Although we are a bit further from our vision today than we might have been when we wrote the new definition, I consider this merely a consequence of the evolution of business over time. Ultimately, an organization’s board and senior management determine what types of services add the most value to their environment. If your work supplies a level of transparency that in today’s world is a key issue, then that is your added value — or at least one element of it.
Betty McPhilimy, CIA
Incoming IIA Chairman of the Board
Director of Auditing
Northwestern University, Evanston, Ill.
Internal auditors must add value to management in myriad ways, especially due to today’s evolving and dynamic business climate. The new definition is a validation of the multifaceted services that internal auditors can provide to their organizations.
Management’s expectations have changed dramatically in the last five years. Executives are becoming more aware of what internal auditors can offer and, as a result, they’re looking for strong internal audit shops that can provide all the value-added services that management needs today. I think the new definition was advantageously timed, coming as it did before all the corporate debacles. As management and governing boards looked at the lessons to be learned from those situations, they were also looking at which functions within the organization could help rebuild investor confidence and ensure that such calamities wouldn’t be part of their futures. As they have become better informed regarding the roles and responsibilities of internal auditing — as described in the new definition — they have come to see it as a function that can help them regain the credibility that’s been lost.
We can leverage this momentum to continue to endear management to the value we can provide. Evidence that this endearment is continuing can be found in The IIA’s own growth. That’s a unique reaction, because typically when the economy is low, people tend to scale back services and involvement in organizations. Instead, The Institute is experiencing double-digit growth. Not only are we adding members to the roster, but more people need training and are seeking it from The IIA. We also see a greater number of people wanting to acknowledge that they are the best in internal auditing and seeking certification. And organizations that have never had internal auditors previously are calling on The IIA to help them establish new audit functions. A lot of that growth is due to the momentum of the legislation that’s advocating our role. By capitalizing on these outside forces, we can make the situation even more positive for the profession as a whole.
To comment on this article, e-mail the author at cchapman@theiia.org.
