More than 17 years ago, The IIA’s magazine published an article of mine, The new age of internal auditing.
I made some provocative comments, including (with highlights today):
Members of the profession have a unique opportunity to become major contributors to their organizations and embark on radical change.
Technology has accelerated the rate of change dramatically, and many organizations are struggling to keep up. As Steve Case, chairman of AOL Time Warner, recently stated, “There is probably going to be more confusion in the business world in the next decade than there has been in any decade in history.”
Internal auditors can thrive in the midst of this confusion and, in fact, are needed more than ever before. As our organizations sail to the new world of e-business, auditors can be at their side. We can provide necessary advice and counsel as our clients embark on new explorations.
To meet the needs of our clients in today’s business environment, however, internal auditors must be able to keep up with change and adapt to the increasing speed of business. In the words of management guru Tom Peters, “We are in the most profound revolution in over 500 years, and this revolution places over 90 percent of the white-collar worker jobs in jeopardy over the next decade. … The IO percent who survive will make it because they have reinvented their work to be full of passion, excitement, emotion, and dreams.” Auditors must embrace change or risk going the way of the dinosaur. We will survive and thrive if, as Peters suggests, we can reinvent our work.
In response to changing business demands, audit departments of the future are likely to be different in several key ways. For instance, we will audit faster and place more emphasis on real-time risk and controls consulting. Staffing will change accordingly, with more IT-proficient auditors. Instead of focusing on a list of audits from an audit schedule, we will be concerned primarily with assurance: providing peace of mind to our clients that business risk is being managed effectively – even, or especially, during turbulent times. Most importantly, however, we will need to start looking further ahead and rethinking our traditional approach to audits.
When continuous change and transformation occurs, continuous risk assessment is needed. As auditors, we will need to make sure our eyes remain on the areas of greatest risk. The days of an annual audit plan, where projects are set in stone, will disappear. Risks can change rapidly and with little warning, as Cisco found when its sales plummeted and forced the company to write off $2.5 billion in inventory. Auditors will need to challenge their schedules constantly to ensure that present and future risks are being addressed – not the risks of the past.
Our audits will be future-looking projects, rather than audits of history, and our mantra will be “assurance through prevention.”
Auditors need to be loud. We need to voice our concerns when it comes to understanding and assessing business risk in turbulent times. This takes courage, especially when management is racing to install the latest technology and our message is one of caution — of heightened risks because of missing controls and security, or hastily tested code —
The rock stars of the new age of internal auditing must step up to the challenges that lie ahead. They need to throw out the crutch of standard audit programs and old auditing textbooks and instead rely on their knowledge of basic control theory, their intellect, and their imagination. To be rock stars, internal auditors must be able to take some risks and leave their traditional thinking behind.
It can be so much fun when your internal audit team are doing all of this. There are great opportunities for personal and professional growth, as well as making a huge contribution to the success of your organization.
Looking back, I am convinced that my advice was sound. Some progress is being made, for example:
- Richard Chambers, President and CEO of The IIA, has changed the title of his popular book in its second edition to The Speed of Risk: Lessons Learned on the Audit Trail, echoing one of the themes of my 2001 article.
- The IIA published Core Principles for the Professional Practice of Internal Auditing (I was privileged to be a member of the task force) that emphasized the need to be “proactive and future-focused”.
- In their 2018 Global Chief Auditor Executive Survey, Deloitte jumped on the bandwagon with similar advice.
Internal Audit groups having the most impact and influence in their organizations also tend to be the most innovative. Not content with doing the same things in the same ways, they learn how to deliver the assurance, advice, and risk anticipation that stakeholders need, when they need it, and they use whatever new methods and technologies they need to do that.
The traditional audit planning process is of limited value in assessing risks in today’s disruptive environment. Continuous risk monitoring, assessment, and tracking can help Internal Audit to direct its resources to where they’re most needed—a valuable departure from rotational audit plans.
- Protiviti has also been advocating change. In Embracing the Next Generation of Internal Auditing, Brian Christensen (EVP, global internal audit) is quoted as saying: “There needs to be a fundamental rethinking of the design and capabilities of the internal audit function to be more forward-looking and help improve the business”. The report also says:
Three out of four internal audit groups are undertaking some form of innovation or transformation effort.
Next-generation internal audit methodologies are designed to equip organizations with more efficient, flexible, risk-focused, real-time and impactful ways of conducting their activities. These methodologies, which also apply to reporting and collaboration activities, generally include continuous monitoring, high-impact reporting, an agile audit approach, and dynamic risk assessment.
But the profession has not (yet) met the challenge I set in 2001.
I still see:
- A lack of interest from audit committees (according to the Protiviti study, only 16% are very interested) in audit function transformation. I suspect they don’t know what they are missing!
- Traditional annual (ugh!) audit plans. They may have a contingency to add “special projects”, but few have moved to agile internal auditing, where the planning is continuous and projects focus on the risks of today and tomorrow.
- The maintenance of “audit universes” when we should have “risk universes”. We need to audit controls over the enterprise risks of today and tomorrow, not risks to a location or process.
- Too few audit functions are assessing whether the management team has processes around what might happen (risk) that meet the needs of the organization. Some are performing a compliance audit to see whether risk management is performed consistent with policies and so on, but that is not even the start of addressing whether management manages the risk of not seeing the bus heading their way. (Note: the bus may be an opportunity or a threat.)
- Audit reports that say what the auditor wants to say rather than what the stakeholder needs to know. (See my April 2018 article in the Internal Auditor magazine, Information Distillation. (Link available only to IIA members.)
- A lack of passion and excitement in our work (echoing Peters’ words from my article).
Some seem to think that internal audit work is boring. Recently, one individual wrote that “SOX is killing the Internal Audit profession”. A lot of people ‘liked’ his article, but is it SOX that is killing internal auditing (if indeed it is a dying profession)?
I challenged the gentleman on Twitter, saying that if people are bored by their SOX testing it is because of a failure of leadership by the CAE and his or her management team.
It is the job of every manager to ensure his or her employees are motivated. Giving them boring work is awful. The manager has a duty to make it interesting.
Recently, Richard Chambers paid tribute (on the 10th anniversary of Richard’s appointment as President of the IIA) to the great Bill Bishop. Bill was President of the IIA for many years and I can still picture him talking about his internal audit tattoo and bleeding internal audit blood.
Internal audit leaders need to (and the best do) have passion for internal audit and the value it brings to the organization.
If you start with the idea that SOX testing is boring, it will be very boring indeed.
But there is no reason that it should be boring.
I’m a big fan of Tom Peters and his concept (and book) The pursuit of Wow! In 2001, I made a presentation to the SuperStrategies conference on The Gospel According to Tom Peters: Making Internal Audit a WOW! Department (click on the link to download my PowerPoint).
The idea is that a great leader can make almost any project a Wow! project. In the 2001 presentation, I quoted Tom Peters’ description of a Wow! project:
It is dynamic, stimulating, a major bond builder among co-workers, a source of buzz among customers, and inspiring, exhausting, hot, cool, sexy, where everyone wants to be.
It confronts an important issue head-on… redefines it in such a way that participants will be remembered ten years later
How does a great CAE make SOX exciting, something for which an auditor can have passion?
My team already knew that our job was not to find fault, but to help management succeed. Of course, when controls failed we reported that, but with an eye to helping them upgrade to processes and controls that were both efficient and effective in managing risk.
When we tested controls over financial reporting (and I did some of the testing myself), we considered:
- Are these the right controls to include in scope?
- Do they address the financial reporting risk?
- Are there better controls?
- Are there better ways to address the risk, perhaps making use of technology?
- Are there redundant controls that can be eliminated?
- Is there too much control?
- Do the people have not only the information, training, responsibility, and experience to perform the controls (per AS5) but the time to do them well?
- Is supervision and review effective and appropriate?
- Will management know when there are problems performing the controls?
- Can the processes be upgraded?
In other words, we were essentially performing not only a compliance audit but an operational audit as well.
Management recognized quickly that we were there to help (without losing our objectivity). Their welcoming attitude enhanced our experience as SOX testers.
Another aspect of our work was that we gave the auditors the time to do the job well. I have heard of some organizations where the auditors are hounded to complete the work. There’s no joy under those circumstances – and no opportunity to add value.
If you believe internal audit work can be fun, you can make SOX testing fun and challenging as well.
But it starts with the right attitude.
BTW, don’t tell me this is good in theory and not in practice until you have tried it!
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023