• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / The next generation of internal auditing

By Norman D. Marks, CPA, CRMA | 2 Minutes Read September 3, 2019

The next generation of internal auditing

internal audit

I want to congratulate Workiva and Jose Tabuena for Internal Audit’s Guide to Planning, Managing and Addressing Risks. I want to focus on the first piece in that publication, Planning to Do the Right Audits: An Effective Internal Audit Risk Assessment.

Here are some excerpts, with comments by me:

  • While the responsibility for identifying and managing risks belongs to management, a key role of internal audit is to provide assurance that those risks are being appropriately addressed and mitigated. [ndm: sometimes it is appropriate to take risk, even more of it, for business reasons.]
  • Are you confident that your department understands the risks that are critical to the delivery of value and the achievement of corporate objectives? Every organization faces numerous risks that matter individually to managers with whom auditors interact, but are they risks that matter to the organization as a whole? The risks that truly matter are those that need to be addressed in the audit plan. [ndm: this sound like something I would say.]
  • Change does not occur on an annual basis. The move to a continuous and dynamic audit plan is significant for most internal audit departments.
  • It’s usually those who are in the details on a daily basis that have the best perspectives on risks and low-hanging fruit when it comes to increasing operational efficiency. [ndm: in other words, don’t just talk to senior management. Talk to the people who know what is really going on.]

The only disagreement of significance I have with Jose is when he talks about the risk assessment and planning being performed every six months. To the contrary, it should be at the speed of risk and of the business.

Protiviti has also shared their perspective. Next Generation Internal Audit: Catch the Wave is a collection of case studies featuring 16 different internal audit departments.

The overall message is not new: internal auditors need to change to meet business needs. That has been a constant in my professional life (going back decades).

I am not going to share excerpts from the Protiviti publication. I found it generally lacking in new and exciting practices. For example, the various CAEs talk about agile, but they are talking about the agile methodology, not necessarily in being agile. By agile, I mean able to change direction quickly to address what matters today as business conditions and related risk change.

Most still audit what matters to a process or business unit, rather than the enterprise as a whole. There is also a continuing failure to perform continuous audit planning.

Finally, many of the CAEs (with consultants cheering them along) are becoming owners of detective controls as they use RPA and other technologies to identify potential problems with data – rather than providing assurance that management is able to do that.

But those of you in internal audit might find value in reading about what other companies are doing.

If you want to know more about my ideas for ‘next generation’ internal audit, consider Auditing that matters.

I welcome your thoughts.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Auditing at the speed of risk with an agile, continuous audit plan  - June 22, 2022
  • Do smaller companies manage risk better than larger ones? - May 18, 2022
  • Is there an effective risk culture? - April 20, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology, Privacy / audit plan, internal audit, internal auditing, risk assessment, risk management, risk to objectives

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy