By Richard F. Chambers – President and CEO, The Institute of Internal Auditors
Is internal audit focussed on the strategic risks that matter with insight and foresight, or is it auditing transactional activity and reporting on what happened in the past (hindsight)? Is it best in class, in need of improvement, or lagging?
My fervent hope is that internal audit in your organisation is receiving the resources it needs – financially and in terms of the right talent – to continuously improve and proactively help identify the important issues and risks.
From my global experiences of interacting with numerous board members and countless internal audit professionals, it is clear to me that internal audit performance falls along a bell curve. Consequently, there are some great ones and, unfortunately, some who face challenges. Yet, that bell curve keeps shifting towards greater expectations, leaving at risk far too many internal audit functions that are struggling to keep up.
In today’s rapidly changing and risk-strewn environment, we certainly can all acknowledge that average may not cut it. In fact, to best serve the organisation’s governance structure and, most importantly, the organisation’s stakeholders, internal audit needs to be appropriately resourced with talent, skills, tools and expertise to continuously improve and strive for greatness. As governance leaders, it is our obligation, perhaps even our ethical responsibility, to actively support internal audit’s evolution and maturity.
A couple of years ago, the Institute of Internal Auditors (IIA) made major enhancements to its internationally recognised and adopted ‘standards’ and guidance framework. Among those enhancements were the addition of a Mission of Internal Audit (why internal audit exists) and Core Principles for the Professional Practice of Internal Auditing (what effective internal auditing demonstrates). Let’s leave the more detailed, pre-existing standards and guidance to the multitude of hard-working internal audit professionals to worry about as they execute their professional duties. But I do strongly suggest that you pay attention, as a governance leader, to the mission and principles.
The Mission of Internal Audit is: “To enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.” Those 15 words are laden with intentional meaning. So, please read that again and consider whether internal audit is currently accomplishing its mission in your organisation.
The 10 Core Principles, meanwhile, presume conformance with The IIA’s globally recognised International Standards for the Professional Practice of Internal Auditing. Importantly, though, all 10 must be present for an internal audit function to be considered effective.
“From my global experiences of interacting with numerous board members and countless internal audit professionals, it is clear to me that internal audit performance falls along a bell curve. Consequently, there are some great ones and, unfortunately, some who face challenges”
For each principle, I would like to share my introductory thoughts and then ask three intentionally challenging questions. I could ask more, but these questions represent plenty for you to ponder with regard to where on that bell curve your internal audit function resides.
1. Demonstrates integrity
The IIA’s member Code of Ethics states: “The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.”
- Is your internal audit leader viewed as someone with uncompromising ethics?
- Are your internal audit professionals beacons of the organisation’s core values in everything they do?
- Are your internal audit professionals viewed as trusted advisors who demonstrate courage, honesty and accountability?
2. Demonstrates competence and due professional care
IIA standards require that the ‘internal audit activity collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities’. If your internal audit plan is truly focussed on the risks that matter, I suspect that there are areas of the company (for example, highly technical subjects) where your internal audit professionals may not have all the requisite expertise.
- Is your company’s internal audit plan truly risk-based, or are auditors focussing only on those things they know and are comfortable auditing?
- Are all internal audit professionals given sufficient time and resources to pursue appropriate training?
- Does internal audit have the budgetary latitude to co-source with external subject matter experts as needed?
3. Is objective and free from undue influence (independent)
Objectivity and independence are two different things. You are objective by being completely unbiased in your approach to the work you do, the decisions you make and the conclusions you reach. You are independent by virtue of your reporting relationship.
- Do you have any concerns or doubts about the objectiveness of the work and conclusions from internal audit?
- Does internal audit report to an area functionally where it can be truly independent, such as the audit committee of the board of directors? And, does it hold regular executive sessions with this body when no one else from management is present?
- Does internal audit report to an area administratively where its work has the least chance of being restricted or redirected (such as by the CEO)?
4. Aligns with the strategies, objectives and risks of the organisation
Many organisations around the world have adopted the COSO Enterprise Risk Management Framework, the ISO 31000 Risk Management Standard, or some combination of the two. And most organisations have a robust strategic planning process. Hopefully, your enterprise risk management (ERM) activities and strategic planning processes are intertwined such that the organisation’s strategic objectives and the risks to achieving them are well understood.
- Does internal audit have a robust risk assessment process that considers the strategic plan, the underlying strategic objectives and the risks to achieving those strategic objectives?
- Does your internal audit leader participate, at least as an observer, in the strategic planning process of your organisation?
- How well coordinated are your ERM efforts and your internal audit activities and is there a common risk management language framework used when talking with the board and senior management?
5. Is appropriately positioned and adequately resourced
Internal audit desires a ‘seat at the (executive) table’. Granted, just because your internal audit leader asks for that seat, they still have to earn it. I go into some depth making this case in my book, Lessons Learned on the Audit Trail. And, without question, internal audit will always, like any function, want more resources. But the better question is, do they have enough of the right resources?
- Does your internal audit leader have the executive presence, business acumen and gravitas to deserve that much-needed seat at the table?
- Is internal audit viewed as a business partner, actively contributing to the organisation’s success?
- Can your internal audit leader clearly articulate the ‘next project’ from a risk perspective they would undertake if they had additional resources? And are you comfortable if that project doesn’t get done during the ensuing audit plan?
6. Demonstrates quality and continuous improvement
IIA standards require a commitment to quality, through both an internal quality assurance and improvement programme and periodic external quality assessments. This commitment to quality is measured by the level of conformity to the standards and acts as the foundation to continuous improvement.
- Does internal audit report on the results of its internal quality assurance and improvement programme?
- Is internal audit getting an external assessment at least once every five years?
- Is internal audit investing in and improving its ability to leverage technology in both the administration of the function and the deployment of data analytics?
7. Communicates effectively
Pareto’s Principle applies well as a generalisation of internal audit’s work efforts: 80 per cent is not seen by most and 20 per cent is what the organisation sees and is what is communicated via the written word (memos and reports) and spoken. Although the documented work is critically important in support of internal audit’s conclusions and opinions, it is rendered nearly irrelevant if what is communicated misses the mark in terms of accuracy, timeliness, clarity and impact. In my book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors, I stress the importance of being ‘dynamic communicators’.
- Are internal audit reports something you place at the top of your in-box, knowing that there is critical, succinctly and well-articulated information that is important to read, digest and act upon?
- Has your internal audit leader established strong rapport with senior management and the board?
- Is internal audit viewed as having a positive, relationship-based and collaborative demeanour and as a go-to resource of insight on risk and control matters? Are they ‘trusted advisors’?
8. Provides risk-based assurance
Internal audit plans must be based on risk and the outcome of a continuous organisational risk assessment. If that is truly the case, however, many internal audit functions may not have all the skills and competencies they need with existing staff to fulfil the audit plan. Unfortunately, I have seen this all too often relegate internal audit to focussing on only what it knows or, worse, trying to audit things it knows nothing about. Either way, this is a disservice to the organisation and does not result in effective risk-based assurance.
- Has internal audit stopped doing ‘cyclical’ audit work, based on a set timetable and moved to a truly risk-based plan?
- Does internal audit update its risk assessment periodically (more frequently than annually) and is the audit plan dynamic, based on those updates?
- Does internal audit have the support to bring in subject matter expertise in areas where it does not have the skills or competence to do the work?
Internal audit plans must be based on risk and the outcome of a continuous organisational risk assessment. If that is truly the case, however, many internal audit functions may not have all the skills and competencies they need with existing staff to fulfil the audit plan
9. Is insightful, proactive and future-focussed
Nearly every chance I get to speak globally, I stress the need for internal audit to move away from providing hindsight (what happened in the past) and move towards first insight (what the true impact is or can be) and then foresight (getting ahead of issues before they occur… being anticipatory). I also emphasise that internal audit cannot succeed by putting its head down and focussing solely on completing the audit plan. It must be proactive by looking up (throughout the organisation) and looking out (beyond the organisation) at all times. And it must not shy from controversy. Internal audit, if necessary, must be courageous and willing to sail towards the storm.
- Does internal audit raise risk-based issues of merit and strategic impact that are not being considered?
- Does internal audit help the organisation ‘get ahead’ of issues before they manifest into something critical?
- How capable is your internal audit leader in demonstrating prescience, the ability to see around corners and anticipate matters of importance?
10. Promotes organisational improvement
I have no doubt your organisation has either a broad-based plan of organisational improvement (e.g. lean, agile, Six Sigma) and/or targeted programmes geared towards improvement (e.g. cost cutting, refocus on core values). Internal audit should be identifying and recommending opportunities for organisational improvement and also be participating in/contributing to organisational improvement programmes. Organisational change programmes, as important as they are to move the organisation forward, can introduce a lot of risk.
- Is internal audit an active participant in material organisational improvement programmes and it is able to provide useful advice and insight resulting from that participation?
- Does internal audit consider opportunities for organisational improvement in every audit?
- Is your internal audit leader proactively consulted on organisational improvement initiatives?
If you aren’t satisfied with your reflective answers to these questions, there are some critical roles all governance leaders need to play to support internal audit effectiveness. Quite simply, within appropriate limits and reason, internal audit must be adequately resourced. But such resourcing is not only about budgetary dollars; it’s also about having the right resources, in the right place, at the right time. It is about expecting energy, competence, progressiveness and insightfulness. It’s about the availability of targeted training. It’s about respecting the importance of the dual reporting relationship and making sure internal audit navigates both its objectivity and independence with deft skill, while at the same time being viewed as a trusted advisor to the organisation. And, it is about constructively challenging internal audit to be its best, strive for excellence and continuously improve. This is what the organisation’s stakeholders assume and what you should expect, demand and unequivocally support.
About the Author:
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is President and CEO of The Institute of Internal Auditors (IIA), the global professional association and standard-setting body for internal auditors. The IIA serves more than 190,000 members in more than 170 countries and territories and is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Chambers has more than four decades of internal audit and association management experience, mostly in leadership positions.
Since becoming president and CEO in 2009, Chambers has led The IIA to achieve record membership and has presided over the launch of a number of valuable initiatives, including the Audit Executive Center; Pulse of Internal Audit; Audit Channel; Internal Auditor Online; the Certification in Risk Management Assurance (CRMA); the Qualification in Internal Audit Leadership (QIAL); the American Center for Government Auditing; the 2015 Common Body of Knowledge study and reports; the Financial Services Audit Center; and the Environmental, Health & Safety Audit Center. Previously, Chambers was national practice leader in Internal Audit Advisory Services at PricewaterhouseCoopers and vice president of The IIA’s Learning Center.