Can Internal Audit really add value? GENERATION 4 (2000-Today)
In today’s post I will be focused on reviewing the 4th of 5 generations of internal audit over its 80 years of existence from 1941 to 2021.
In Sawyers 7th edition we illustrated 5 generations of internal audit capabilities, which lead to IA product quality and value. Those generations are defined as follows:
1. 1941 – the Internal/External Auditor
2. 1970 – the Internal Control Process Auditor
3. 1990 – the Risk-Based Auditor4. 2000 – the Risk Management-Based Auditor
5. 2015 – the Objective-Based Auditor
For those unaware, Internal Audit is uniquely served by one international standard setting professional association. The Institute of Internal Auditors (IIA).
Today we address Generation 4, which began in the 2000’s, where much discussion of risk and risk management begins. In this generation, with a decade of internal audit annual risk assessment and risk ranking of audit issues, significant inconsistencies emerge. Inconsistencies in the annual audit risk assessment exist from one internal audit department to the next. It is common to see long risk list as a product with complicated factors laid out to value each risk. In 2002 Paul Sobel wrote a book on integrating Internal Audit and ERM. In the book Paul introduced the idea of the first three generations we have discussed to this point and a new generation he called “Risk Management Based Internal Audit. Today Paul Sobel serves as the COSO Board Chairman.
The key difference is Risk Management based internal audit was the starting point for the annual risk assessment and each audit. Rather than relying on the auditor and their long list of “things that could go wrong,” both started by asking the question of who should be managing what types of risk. Executives should be managing strategic risks, Managers should be managing operational risk, and risk hazards were typically managed by specific departments, such as Compliance, Information Security, Plant Safety, Legal, Human Resources, etc. Once risk management ownership was assumed, then those areas were targeted for questions about the most important risk they managed for the enterprise. Starting with the most important items first.
Value Proposition of IA: The risk management-based auditor has business acumen and is much more efficient and effective. They are better able to capture the most important risks and place them in context of who should be handling them, by relying on managements expertise over their area and topics. Natural points of collaboration develop when internal auditors encounter risk in operational areas that should actually be managed by Compliance or Information security for example. Stop and Go auditing becomes popular as internal auditors gain business acumen and are better able to identify more complicated risks, like a total lack of management oversight for an area, or significantly misaligned people, process and technology. It would not make sense in either case to continue the audit knowing many things could be wrong due to the lack of oversight or misaligned operations. The reverse is also true, Auditors spotting robust oversight and well aligned operations may no long see a need for an audit depending on the nature of the risks to be evaluated. Internal audit becomes more of a partner with management.
Auditor Skill Required: Risk Management-Based Auditors enter a new world by looking at risks from the top down. A world that requires them to understand leading practices for risk functions (from compliance to legal to information security). It also requires them to have practical experience with ERM models and understand ideals about how management should be leveraging ERM principles in strategic and operational decision making. Resources available expand, including updates to IA Professional Standards, the 3 Lines Model, COSO ERM, ISO 31000 Risk Management, and OCEG GRC. Within these standards assumptions about risk, internal control and internal audit are defined more clearly and with greater detail.
Products and Services: Audit Committee reporting gains a collaborative nature where other risk functions or management over the risk become part of the reporting process. The annual risk assessment is expanded to consider changes in risk at regular intervals. The one-time audit report becomes only one tool to identify and address risk. Perpetual auditing and monitoring data analytic tools replace less efficient auditing enabling Internal Auditors to participate in management advisory roles, like live auditing of physical or application implementations.
Position and Power: Internal Auditors practicing during the beginning of Generation 4 gain significant power and independence. Government Acts, like the Sarbanes Oxley act in the United States require internal audit and its independence. Other legislation specifically places the responsibility to be aware of risks taken by Executives on the Board of Directors. The implied source of risk information to the Board is Internal Audit. More than 50% of the Internal Audit professionals begin to report directly to the Audit Committee of the Board.
As of 2021:
- A good guess today would be that 20-25% of Internal Audit shops could be said to be practicing Generation 4 Internal Audit. This generation is most visible in the risk assessment and the source of risk information. Annual risk assessments are not done in silos. In fact, Internal audit may be a participant in the annual ERM Risk Assessment process, involving other risk functions as well. Where this may not yet exist, Internal Audit relies on meetings with risk function leadership to gain a complete professional picture of risk. In addition, if ERM is not present, Internal Audit includes the formality of strategic and operational decision making in their risk assessment.
- Open conversation with expanding risk functions like compliance, risk management, and cyber security are focused on synergies and ways to aid each other. Management and the Audit Committee are open to sharing risk information and discussing ideal controls and actively focuses and their own risk and control understanding and growth.
- Technology is leveraged as much as possible adding process automation, AI and data visualization to traditional data analytics.
Observations and Opportunities
- Successful Generation 4 Risk Management Based auditors are collaborators focused on the success of risk functions and the growth of risk management principles within the Board and the Executive Team. They also understand the business much better and the strategies and goals of the enterprise – well enough to communicate the context of important risks impact on organizational success.
- The Board of Directors, and the Executive Management team must be open to their own improvement or Generation 4 is not likely to be obtained. Even though the Sarbanes Oxley Act aided the progress of internal audit independence, its mandatory documentation in financial control (a Generation 2 task) has pushed some Internal Audit shops backwards, especially if the IA Leadership is not seen to be more competent than that Generation 2 task.
- Internal Audit leadership operating at Generation 4 begins to earn the title of Chief Audit Executive, acting as a coordinator, collector of capable auditors, builder of risk functions and knowledge center of all things governance, risk and control.