Can Internal Audit really add value? GENERATION 3 (1990-Today)
In today’s post I will be focused on reviewing the 3nd of 5 generations of internal audit over its 80 years of existence from 1941 to 2021.
In Sawyers 7th edition we illustrated 5 generations of internal audit capabilities, which lead to IA product quality and value. Those generations are defined as follows:
1. 1941 – the Internal/External Auditor
2. 1970 – the Internal Control Process Auditor
3. 1990 – the Risk-Based Auditor
4. 2000 – the Risk Management-Based Auditor
5. 2015 – the Objective-Based Auditor
For those unaware, Internal Audit is uniquely served by one international standard setting professional association. The Institute of Internal Auditors (IIA).
Today we address Generation 3, which began in the 1990’s. In this decade, the profession reaches 50 years old, and begins to be recognized by government entities. In the United States a government commission to combat fraudulent financial reporting results in the forming of COSO. COSO is a committee of 5 professional associations including the Institute of Internal Auditors. COSO produces leading practices and guidance publications. Famously, in 1992 it produces its Internal Control Framework. This helps codify, or write in stone, key purposes of internal audit – assessing internal controls quality.
However, internal auditors focused on financial transactions and regulatory compliance, soon find that management does not care about every control they identify. They only care about controls that impacted their success. So, the push for Risk based auditing begins.
The profession of internal audit responds to management complaints of “death by a thousand minor details” by borrowing leading risk assessment practices and introduces the annual risk assessment, with general guidance such as, “What could go wrong?” Audit planning steps also leverage risk by scoping the audit project efforts to the more important areas being audited.
Value Proposition of IA: The auditor risk analyst becomes a tool for identifying the biggest organizational exposures to risk, elevating the need to report directly to the Board. The attention to growing hazard and reputation risks contributes to the creation and/or expansion of risk mitigating departments, such as Compliance, Insurable Risk, Business Continuity, and eventually Cyber Risk.
Auditor Skill Required: Risk Analysis and creation of risk ranking methodology becomes a new skill for most IA functions; it adds to every aspect of process evaluation for efficiency, effectiveness and control. All of this still resting on the core accounting and compliance skills.
Products and Services: Audit Committee reporting becomes more of a formal collection of data. It typically includes data about the annual risk assessment, the annual audit plan and detailed audits completed since the last meeting. Individual audit reports add more background informational sections. Sections commenting on the risks that led to the audit, and the risk influenced scope of the audit before presenting the details of findings. During this period new data analytics tools began to be used for more efficient and complete testing.
Position and Power: Internal Auditors practicing Generation 3 are supported by more specific guidance from the Institute of Internal Auditors calling for independence and objectivity of the function and branding the profession as a primary source of reliable information to the Board of Directors through the Audit Committee. This introduces the age of the charter. The internal audit committee charter, and then the internal audit function charter focused on spelling out position, role, duties, and powers. Despite the focus, the majority of internal audit functions have yet to be considered independent of management.
As of 2021:
- A good guess today would be that 40-50% of Internal Audit shops are primarily focused on providing Generation 3 Internal Audit. A good way to define if your internal audit shop remains at generation 3 is to ask the following questions, who controls the risk assessment? What is the product of the risk assessment? If IA controls its own risk assessment and the primary product remains the annual audit plan, then you are in Generation 3. Generation 4 requires internal audit to become more of a collaborative part of risk management systems and more connected to the needs of management. This is typically a transformational exercise, not a simple incremental improvement.
- The expansion of risk functions like compliance, risk management, and cyber security are typically competing with Internal audit, that remains in Generation 3.
- Management with robust internal audit and risk functions often becomes very frustrated with the intensity of inspection and push for IA to express more business acumen and more strategic awareness.
Observations and Opportunities
- Successful Generation 3 Risk Based internal audit should create it own nightmare. Growing Enterprise Risk Management, growingly risk-capable functions (Compliance, Legal, HR, Information Security, Safety, Insurance, etc.) competing for attention. Maturing risk mitigation and ERM activities are required for Generation 4 internal audit.
- Advocacy of IA within the Board of Directors, the independence of internal audit and the capability of the audit committee impact IAs ability to grow. In some cases, inadequacy in these areas will prevent internal audit from evolving past Generation 3.
- The Board of Directors is also a relatively modern 20th century concept. Risk awareness at the Board level has only been around as a concept for 20-30 years. Internal Audit can and should play a role in elevating Board capabilities. Unfortunately, 90% of Board “training” simply tells them the rules of governance from the legal perspective not how to define and execute a Board role. A new publication by “Aligned Influence: Beyond Governance” out of Colorado, USA can help fill this gap. It is written by Ken Schuetz a former IT Executive.