Is Internal Audit Losing Its Chance?
Never in modern history have so many departments across larger organizations, had roles that deal in risk. Expanding regulations, new cyber threats, and Boards (more aware of their risk oversight role) have caused this growth. Yet where does internal audit fit? How do they see themselves? Do they see the IA role independent of needing to interact with risk functions? Independent of being part of creating a bigger picture of risk and control for Executives and the Board? That type of independence would be an error. Tomorrows Internal Auditor must be in the middle of risk and control information flowing throughout the organization. Independence for IA is intended to be structural, to enable reporting to the Board, not a black line that inhibits collaboration. If IA is not part of the risk and control big picture, can we say we are meeting the IA mission intent to “Enhance and Protect Organizational Value?” Today’s Internal Auditor needs to act like a Primary Care Physician, collecting all that specialists do for the patient, identifying gaps, unknowns and enabling a whole-body (risk and control) health plan. So, what does that mean? Change! Yet are we changing fast enough to gain this collaborative position we are best equipped to claim? Maybe, maybe not.
Barriers to Internal Audit Change
IA Leaders May Not See It Coming – In 1998, on the first day of my career in the field as an external auditor, a Big 4 accounting partner instructed me to spend the day footing Excel spreadsheets. He had me use a 10 key calculator to check that each column of the spreadsheet added correctly. I did this for 11 hours. Of course, no errors were found. What the partner should have known is that testing one column without error would have been enough, because the formula in the application would not change column to column. Unfortunately, many in Internal Audit leadership today, do not see similar changing realities. This could be because they have fallen victim to the thinking they are “independent” of needing to engage with other risk and control efforts. Making their traditional work in financial control, compliance, or information security, redundant to better focused efforts within growing 2nd line of defense risk functions.
IA Leaders May Not Have Needed Skills – Sixteen years ago, I was given the reigns of an important project – re-engineering risk assessment. I was working as part of an Internal Audit team serving a California hospital system. I had taken a Briggs Meyer personality test and been tagged as an Assertive Advocate. Basically, at my core, I was best motivated by a cause or a mission to improve life for all. My savvy senior manager thought this lined up nicely with her needed risk assessment improvement. She was right, I was hooked. Within, two years after 3 such improvement projects, I was offered a leadership role focused on improving methods and products available to 335 internal auditors. I have never left that role since, building methods, products, and services across various organization. It has made me an avid collector of good ideas, and an architect of designing how those ideas fit together.
It has also given me insight into what brings the right change that delivers more value. Change is not easy in general, and rapid change is even more difficult. In addition to that, it has been my observation that Internal Audit Directors or CAE’s who grow up in internal audit, often have blind spots as leading a small or large team requires more business management skill than the auditor analytical mind. Skills such as setting a vision, creating a strategy, developing operations (people, process [method] and technology). Skills that can also distinguish between change management (enabling the cause) and project management (getting it done). This knowledge cannot be a surface familiarity but must be a tried experience. As Internal Auditors become leaders, they must close gaps in their leading and managing skills to be successful. Sometimes this is done by hiring a non-auditor to support the CAE or IA Director. Collectively skill must be present to lead with the vision and the why, and then manage the design of systems and operations that deliver on the why.
Professional Expectations are Keeping Pace – In 2016 I began serving on an IIA International Committee responsible for keeping relevant materials and books on the shelves of the IA Bookstore. Over the next four years, I began to see why the Vision, Mission and Standards of the profession are in such great shape. Many quality IA leaders serve on the International IIA Board of Directors, or within their Affiliated Counties Board. There are also many thousand volunteer hours spent in supporting committees. These efforts are looking around the corner and anticipating our challenges. These efforts have led to current Standards, a new 2015 Mission, and an updated CIA Exam. In short, the framing of what makes a good IA Professional is evolving at the pace of change. This only limit is the association managing all this great input.
International Leading Practices are Available – One main advantage to the profession of internal audit is its international scope. It is difficult to find another profession that sets standards with such wide impact. This also means the Internal Audit is not dependent on one controlled source of leading practices but can draw from cultures and experiences across the globe.
Sawyers 7th Edition – I was fortunate enough to participate in one such effort to draw from leading practices across the globe. In 2017, we began designing the Sawyer 7th Edition book to be a new product for 2019 focused in large part on helping CAE’s and IA Leaders close the skill gap needed to evolve internal audit products and services to a higher level of value. We found some amazing strategies and ideas such as the following:
- Switzerland – Identifying value drivers in products and services, and using them to develop strategic plans
- US – Leveraging Paul Sobel’s (COSO Chairman) idea that IA and evolved through generations. Defined and illustrate 5 generations of services and products
- Netherlands, US – Borrowing Capability Maturity Models or Ambition Models to discuss what must change in people, process (method) and technology to evolved to a higher more modern level that can produce needed products and services
- Jordan, US – Discuss the org charts and skill profiles of staff and leaders across different skill building strategies and generations and product deliverables
- China, US – Connect value goals and evolving definitions of risk and control to each generation of IA Services and Products
- South Africa, Australia – Define and cultivate Governance ideals and Business Acumen
Will it be enough?
Every evolution is preceded with signs that tell of the coming reality. For example, before the accounting profession began being impacted by process automation, data analytic and AI software there was significant outsourcing and automation of other business processes. One could guess that it was only a matter of time until all parts of an enterprise were impacted.
Today a variety of indicators spell coming change to Governance, Risk Management, and Internal Control. The main indicator includes dissatisfied Boards that do not completely understand their role with regards to risk oversight, and Executives who see no value in ERM. This pressure is creating an interest in “consolidating risk and control information” from any source into one management system that management can value, invest in, or shrink based on the perceived value of its products. That after-all is what ERM is meant to be, a management tool driven at their direction. At a minimum ERM growing maturity means IA will eventually have to compare the value of its products and services to those produced by ERM efforts. A better consideration would be integration of IA efforts with 2nd line of defense functions and sharing of risk and control data with ERM systems. Are IA Leaders capable of this careful integration? Can they maintain their independence and objectivity in a way that continues the importance of IA reporting to the Board, while elevating the value and complexity of risk and control information?
There are some interesting bright spots, where CAE’s and IA Directors are adding significant value to their organizations and aiding in the innovation of governance risk and control services. But we need more as a profession to not be seen as secondary or of low value.
Unfortunately, my interaction with many IA Leaders does not give me a tremendous amount of confidence, that we are changing quickly enough. Some concerning examples, are leaders noting, “I am not being asked to do that yet?” An IA leader must be the vision builder, measure the change happening and chart the course for the department. Most of the time, no one will tell an IA Leader to improve, they will simply wait until the lack of value is obvious and then eliminate the leader or the function. If they cannot eliminate it, they will minimize it as a “cost center”.
Several years ago, this became obvious to me. I sat at a table during an IIA GRC Conference talking with a new Chief Risk Officer for a large package delivery service. He had previously been in internal audit, and so I was interested in his new role. Twenty minutes later everything he had described as part of his role, I felt should be IA Advisory services. After he left the table, I introduced myself to the person next to his chair. It turned out he was the CAE for the same organization. Curious, I asked what the scope of his role was. He noted SOX financial controls auditing. “What else?”, I pressed. “That’s it,” he said. “Since the CRO is Advisory, they do not want me doing that anymore.” Concerned, I asked if the CRO reported to the Audit Committee. “No,” he responded, “he reports to the CFO.” So, the inactive CAE had not sold the role of IA to the Audit Committee and allowed his professional impact to be limited to a management function task… This must not be the case, or we will not be able to call ourselves professionals. The future of IA must become elevating good governance structures, and risk and control within Management and each 2nd line of defense function. If we do not get there as a profession, then we are letting others define the value we can bring.