Can Internal Audit really add value? GENERATION 2 (1970-Today)
In today’s post I will be focused on reviewing the 2nd of 5 generations of internal audit over its 80 years of existence from 1941 to 2021.
In Sawyers 7th edition we illustrated 5 generations of internal audit capabilities, which lead to IA product quality and value evolution. Those generations are defined as follows:
1. 1941 – the Internal/External Auditor
2. 1970 – the Internal Control Process Auditor
3. 1990 – the Risk-Based Auditor
4. 2000 – the Risk Management-Based Auditor
5. 2015 – the Objective-Based Auditor
For those unaware, Internal Audit is uniquely served by one international standard setting professional association. The Institute of Internal Auditors (IIA).
Today we address Generation 2, which began in the 1970’s. In this decade the profession reached 30 years old and began to benefit from seasoned professionals who had spent their careers attempting to add the most value they could through their role. Larry Sawyer the namesake of this book published the first version in 1973, which weas widely seen as an encyclopedia for the profession. The IIA also created the first certification (CIA) exam based on its newly minted standards.
These new standards could be characterized best in Larry Sawyers 1983 “Ten Principles for Internal Auditors, Know the objectives, controls, standards, population, facts, causes, effects, people, modern methods and when and how to communicate.”
Value Proposition of IA: The auditor analyst who not only finds issues but investigates those issues for their source and provides research on leading ideas to prevent or “control” negative outcomes.
Auditor Skill Required: Process evaluation for efficiency, effectiveness and control added to the core accounting and compliance skills. Research of leading management practices becomes more common.
Products and Services: Audit Reports include more background on the area under review, process efficiency and control expectations. Flowcharts become more common. Internal Audit also begins to be considered a partner to the Legal and Human Resource departments in personnel and fraud matters, and more critical legal investigations.
Position and Power: Internal Auditors practicing Generation 2 internal audit begin to gain a bit more independence within their financial or legal department reporting structures. Modern internal audit departments of the time begin to report directly to the Board and “Audit Committees” become more common. Internal Audit becomes much more associated with Compliance and in some cases the two functions are combined, or Compliance is cultivated as a function by internal audit.
As of 2021:
- A good guess today would be that 20-25% of Internal Audit shops are primarily focused on providing Generation 2 Internal Audit. In some cases, this can be the result of countries with young economies, but it can also be the result of slow-moving industries run by rule or policy, such as government, utilities or higher education.
- However, I have also observed internal audit being forced backwards to Generation 2 after a financial or regulatory error or fraud damages an entities reputation.
- Finally, some regulation like Sarbanes Oxley Section 404 promotes the image of Generation 2 internal audit and if compliance with that expectation is all management drives IA may remain at Generation 2.
Observations and Opportunities
- The risk for Internal audit functions remaining at Generation 2 is that their services may be overlapping other management and risk function activities that have developed over time; such as legal investigations, HR investigations, insurable risk management, compliance departments, information security departments and applications with built-in monitoring and reporting functions.
- At Generation 2 Internal audit can be seen as a negative or punitive function. In such cases management is motivated to support internal audit moving up to Generation 3, where audit becomes more of a supportive partner and more aware of the good being done by management.
- A Generation 2 internal audit shop could meet current professional practices or internal audit standards under some conditions.