Can Internal Audit really add value? GENERATION 5 (2015 -Today)
In today’s post I will be focused on reviewing the 5th and final of 5 generations of internal audit over its 80 years of existence from 1941 to 2021.
In Sawyers 7th edition we illustrated 5 generations of internal audit capabilities, which lead to IA product quality and value. Those generations are defined as follows:
1. 1941 – the Internal/External Auditor
2. 1970 – the Internal Control Process Auditor
3. 1990 – the Risk-Based Auditor
4. 2000 – the Risk Management-Based Auditor
5. 2015 – the Objective-Based Auditor
For those unaware, Internal Audit is uniquely served by one international standard setting professional association. The Institute of Internal Auditors (IIA).
Today we address the 5th and final (or most recent) Generation of internal audit, which began in the 2015, with the publication of a new IIA Mission Statement, “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” This statement is so new many IIA chapters around the world and government entities have not yet incorporated it into their charters and guiding documents. Most significantly, this new mission brings “value” into the equation and implies internal audit will have something to do with the future of value creation and value preservation. Much of this is still theoretical.
The Value Creation and Value Preservation discussion.
Many areas related to internal audit have also been experience evolution, particular over the last 20 years. We do not have the time to get into each of these areas other than to say there is a convergence of ideas expected and the terms Value Creation and Value Preservation are being used to represent this convergence. The three lines model put out by the IIA last year represents an effort to bring internal audit and functions that manage risk closer together in purpose and product, (risk and risk mitigation data). The practical implementation of the three lines model is one risk system that integrates risk assessment and shares risk data across all risk functions and the Executive team in a fluid way. A way that enables better informed decision making. This overall effort is called GRC by technology vendors, integrated risk management by risk professionals and a value preservation system by thought leadership.
A solid value preservation system within an enterprise is supposed to also be a resource for setting minimum value creation standards. For nearly 20 years regulators across the globe have been anxious to improve public reporting requirements to better gauge and control the market’s perceived value of an entity. Financial reporting has been expanded to include non-financial areas of value. One of the more popular frameworks in this area is “Integrated Reporting”, which defines 5 non-financial areas of value that they believe would help decision makers improve decision quality. This model in part, led to ESG reporting expectations by the EU and World bank. Essentially, governments have latched onto the non-financial value areas they feel are most important to their social and public value assurance role. However, reporting that improves the capture of all types of non-financial value is also important to internal decision makers, who need to know how robust their operations are, or if new strategies will strain the strength of their supplier relations, for example. Interestingly, the Risk Management based internal auditor has proven an ability to capture new data that can contribute to the development of non-financial value creation data. Data like the maturity of operational oversight or the maturity of aligned operations (people, process and technology). In addition to contributing to value creation standards, the innovative Internal Auditor also has an opportunity to advise on the evolution of risk functions into a value preservation system.
Value Proposition of IA: The objective-based auditor not only has business acumen, but they are connected to the evolutions happening related to value preservation and value creation. Not only are they aware of what is happening within their organizational evolution, they are tuned into opportunities to enhance and promote the makings of systems that support value creation and balance it with value preservation. Their architect-like understanding of this evolution makes them first and foremost a critical advisor to their Executive Team and Board Decision Makers. Their risk assessment and audit efforts focus on shoring up risk mitigating function capability, identifying operational vulnerability and challenging the formality of decision-making processes to ensure decision quality. As you can imagine much of this is still theoretical, because it is dependent on Boards and Executive teams interested in this journey. A journey that brings greater exposure to their systems of accountability and the quality of their decision making. So it takes an open interest by decision makers in becoming even more transparent.
Auditor Skill Required: Objective Based Auditors not only must understand the power of system design, but they must also be capable of seeing breakdowns in the systemic engine and promoting the right next step. This is no longer a report that “something is broken” this is a report on how it is broken and the needed next step to fix or improve the system. Not at the technical level but at the business oversight and long term operational enhancement level. Sometimes, it will require internal audit to be the seller of scrapping and replacing the existing business system with a better value producing design. This means internal auditors must understand leading business models and must have experience in change management. An objective based auditor is one who works in an organization where management has ownership of lower-level control systems, and Risk Management functions handle risk hazards. Leaving internal audit to focus one elevating existing system of risk and control to the benefit of value creation efforts. It also leaves internal audit to be THE risk expert that crosses the management line and helps improve standards the enable value creation quality. Standards such as identifying existing operational capabilities or formality in decision making and the result of decision quality. Finally, internal audit must also be a governance expert. Not a legal expert in the design of Board rules and policy, but an expert in the ideal operational structures and oversight need that the right governance documents must create.
Products and Services: Since most of this remains theoretical, many new types of products could be created by the Objective Based Internal Auditor. Rather than going into these details, we will share some products that are out there today that would qualify as Objective Based Internal Audit. Objective based risk assessment performed in collaboration with risk functions and the Executive team is a good start. These risk assessments begin by dividing existing operations into areas of priority for organizational success. Each area has stated operational purposes, objectives, and strategies. These objective priorities are used to define the scope of the risk assessment. No risk is documented without defining which objective priority is “at risk.” The result of the assessment directly connects value preservation efforts to value creation needs.
Position and Power: Internal Auditors remain structurally independent, to have the designed support of the Board as needed – yet they must collaborate with both risk functions and management to create value. So there can be a need to shrink the prominence of the hard won independence to a safety net status, in order to enable the Executive Team to welcome Internal Audit into some of their more challenging conversations and needs. Trust building in Generation 5 is a tremendously important challenge.
As of 2021:
- Since this is the most modern generation of internal audit, and it is still evolving it is likely that no more than 5-10% of internal shops are aware of and attempting to deliver IA services and products at this level.
- Integrated Risk Management is a related effort to bring risk functions together. Interestingly in some cases Chief Audit Executives have found themselves in a position to play the leadership role in making this happen. Structurally that can mean they are also the Chief Risk Officer or EVP of Risk with responsibilities for Compliance, Insurable Risk Management, Cyber Security and more.
- GRC technology or applications intended to enable Integrated Risk Management and/or facilitate ERM are also widely used. However successful enablement of risk data and risk response/actions flowing across risk functions and to management has not yet reached the ideal.
- Board’s and their role in risk oversight have gained greater attention, How does a board oversee risk within important Executive decisions? Board roles and Board execution have become a growing topic of discussion. The previously mention Aligned Influence’s new book, “Beyond Governance,” is an example of seeking to find better ways to define and execute the role of Good Governance.
Observations and Opportunities
- As Generation 5 continues to unfold it will be impacted by many related efforts. If internal audit leadership is surfing the tide of change, they can end up in this critical and important role. Yet, change will happen slowly at first for some industries and can lull leadership into the assumption that what has been done in the past will always be what will be done in the future. Some industries and countries are particularly behind this wave. However, those who are not aware of the wave can eventually find themselves under it. For example, two years ago, I was sitting at a table during an IIA GRC conference with leadership from an international packaging organization. I first spoke to the CRO who shared the scope of his roles and responsibilities. Much of the objective based audit discussed here was the responsibility of the CRO, who did not have access to the Board. When he left, I asked the CAE what he did, His response reflected Generation 2 Internal Audit. Such a structure was particularly damaging to that Board of Directors left out of the loop.
- Internal Audit is the best positioned resource to aid the Board and the Executive Team in defining and balancing Value Creation and Value Preservation systems for the enterprise. However, if IA does not step up access to this role, someone else will and IA will be pushed backwards or contained to historical activities until they become obsolete.