“I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need. Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.”
My friend Richard Chambers has written a couple of posts that merit our careful attention.
Frankly, all of his posts merit our attention, but these are important.
I ask that you review:
- The State of Internal Audit: Facts vs. Conjecture, and
- For Internal Audit, the Best Defense Is a Strong Offense
I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)
However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:
In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.
Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.
- Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
- Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.
Richard is far more provocative than usual in his March 27 post when he says:
It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.
Naturally, Tim sees this as labeling his writing as “fake news”.
Richard is 100% correct when he states:
No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.
Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.
I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.
Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.
Let’s look at some more information.
My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.
I strongly recommend reading the piece and noting the eight action items.
One quote by Brian caught my eye:
Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.
I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.
An article in the local business newspaper reported that:
Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).
In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.
“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.
“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”
Tim has every right to challenge the current state of internal auditing and I know Richard respects that.
I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.
There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).
Nevertheless, we need people like Tim to challenge us.
Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.
Richard and I have both shared our views with new books.
- Auditing that matters takes on the issue of auditing the risks that really matter to the success of the organization and then sharing with executive management and the board what they need to know.
- Trusted Advisors: Key Attributes of Outstanding Internal Auditors discusses the “top attributes needed to excel as an internal audit professional and be viewed as the go-to person within the entity”.
I would like to think that between us we have charted a way forward.
Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.
Let’s adopt that mindset for our own practices and profession.
Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.
I welcome your comments.
Note: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.
- Was Silicon Valley Bank a failure of risk management? - March 28, 2023
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023