In the last couple of days, I have:
- Listened to an internal audit executive as he shared a thought leadership piece from EY. In it, they talk about moving from the bottom left quadrant of internal audit maturity, which they describe as “assurance provider”, to the top right, “business advisor”.
- Read an article by a practitioner for whom I respect on the future of internal audit.
That is after reading multiple pieces in the past that talked about Internal Audit 2.0, 3.0, and so on.
All of this had me ruminating on how I see the future of internal audit myself.
Let me start with the EY idea that providing assurance is a low level of maturity.
Imagine you are asked by a couple to provide them with assurance that their child, Adam, will be able to achieve his wilderness experience goals and return safely.
That is no small task!
You need to learn a great deal before attempting to provide any level of assurance. For example, you need to know:
- What is this “wilderness experience”?
- What are Adam’s goals?
- What can happen, especially what can happen and cause him harm? But you also need to know what needs to happen if he is to achieve his goals?
- What are Adam’s strengths and weaknesses? Is he fit and healthy? Can he make intelligent decisions?
- What is his level of confidence? Is he over-confident?
- How well has he done in the past?
- What help will he have? Is it reliable? Will it be sufficient?
- What equipment, etc. will he have? Is it reliable and sufficient to address any hurdles and other tasks?
- How much risk of harm and how much risk of failing to achieve his goals are Adam and his parents willing to take? Do they agree on that?
- Will he be able to adapt with agility if conditions change?
- …and more.
Providing assurance involves assessing the current situation, looking forward and anticipating what might happen in the near future and longer term, determining whether that is acceptable, and if it is not helping decision-makers take appropriate actions.
Providing assurance is not a low level of internal audit maturity. It includes “business advisory” activities.
The practitioner article I read criticizes the IIA’s definition of internal auditing and their suggested mission statement for internal auditing.
To paraphrase the mission statement, it says that internal audit should provide the forward-looking assurance, advice, and insight that leadership needs to achieve success (the achievement of its objectives).
That is a high bar!
It is especially so when you set a goal of providing assurance over more than individual objectives and related risks and opportunities.
When I was on the IIA’s international committee that developed guidance for internal auditors (the Professional Issues Committee), I was a member of the team that developed a Practice Guide: Formulating and Expressing Internal Audit Opinions. It talks about micro opinions (opinions expressed in a single audit report) and macro opinions (opinions on the overall management of risks and opportunities).
My goal as CAE was always to provide management and the board with both: a business-oriented opinion after each audit, and an annual opinion on the overall management of risks and opportunities.
The opinion was supported with advice and insight to help management make improvements as needed.
Assurance is not a low level of maturity. I believe providing leaders with assurance that they can rely on the organization to perform as needed is of immense value. (They are not “assured” if there are serious weaknesses. In that case, we work with them to fix the issues and achieve success.)
The future of internal audit is delivering that level of value – a challenge and goal for many. The only question IMHO is how and when this will be achieved.
What do you think?
 Full disclosure: I was on the IIA task force that developed the mission statement.
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022