The Scary New Outlook for Internal Audit
Can the profession seize its rightful role in risk management, governance and compliance? Maybe, but it’ll take vision and guts. Do you have what it takes in the post-meltdown world of the new normal?
by Rick Telberg
In the aftermath of the global financial meltdown and the surge of new corporate interest in enterprise-wide risk management, do internal auditors face risks of their own in getting left behind?
Maybe so, according to some prominent thought leaders in the profession.
After surveying more than 2,000 executives across 50 regions of the globe, researchers at PricewaterhouseCoopers report that internal auditors are being challenged “to remain relevant and meet stakeholder demands” in ways like never before.
Brown
What’s required today, according to Brian Brown, PwC principal and Internal Audit Advisory Services leader, is a whole new, and somewhat unnerving, concept of the internal auditor, a new vision Brown and his colleagues call “Internal Audit 2.0.” More than simply checking accounts, internal auditors need to adopt a new way of thinking about their job that goes beyond audit as we’ve known it and embraces the fast-developing body of knowledge in governance, risk and compliance. Or else, Brown says, they run the risk of becoming marginalized and obsolete as new risk-management professionals take over.
Directors and top management are crying out for improved risk management operations. But it will take some brave and innovative internal auditors to show the way. “The internal auditor needs to have a vision and to take leadership,” according to Brown, “even though they may not necessarily have the authority.”
FREE DOWLOAD: Click here for PwC’s State of the Internal Profession 2010 (PDF, 32 pages)
Five years ago, after the first round of Sarbanes-Oxley implementations, internal auditors were at the center of the risk-and-compliance universe. But the meltdown proved, according to PwC, that some notable corporate internal audit operations and risk controls were sadly inadequate. The same PwC study five years ago reported auditors squeezed for time and resources in implementing SOX. Nevertheless, as a result of the new internal controls requirements, 79 percent of audit departments found and reported issues to top executives on ways to improve risk management.
Today, Brown says, internal audit is “in danger of being pigeon-holed as a tactical compliance function.” And many internal audit managers are admitting they are unable to meet top management expectations with the same old data set.
To meet today’s top management needs, the role of the internal auditor needs to be expanded, Brown says. Strategically focused auditors can have a huge impact. After all, they are but one of a handful of professionals in today’s global conglomerate that can actually see across all departments, regions and silos of the enterprise.
In the past, internal auditors were being told that so-called “soft” skills were needed — creating a “client-service culture” with stakeholders, “leveraging technology” and “promoting improvement and innovation.” All that still may be necessary. But more is needed. PwC researchers say this year’s breed of internal auditor is talking more about identifying “critical risks,” “aligning internal audit’s value position with its stakeholder’s expectations” and “matching the staffing model with that value proposition.”
But do today’s internal audit teams have the right mix of skills, training and experience? Many don’t, Brown says. Most lack the diverse broader business experience needed for insightful risk assessment and corporate persuasion.
“We believe internal audit must take a more radical approach,” says Brown, challenging auditors and their C-suite handlers “to change, rethink and redefine” the way internal audit works. It starts with vision and leadership.
SHARE with Colleagues
4 Responses to The Scary New Outlook for Internal Audit (Subscribe)
Some comments may be held for review before posting.
http://www.insightbb.com
My 20 plus years experience tells me that “internal auditor” is an oxymoron — the conflicts of interest are too great. Those auditors who are really interested in finding inefficiencies and irregularities are black-balled almost immediately as lacking “team-player” attitudes. Those auditors who succeed in the corporation are those who “stroke” the very people they are supposed to be monitoring. Yes, internal audit need to take a more radical approach, starting with a reward formula that gets to the issue of that conflict of interest.
http://www.@aquent.com
The profession hasn’t caught a bubble yet so the external auditors are already marginalized, obsolete and irrelevant.
As a former grunt under Brian Brown, I agree 100%. I now work for a healthcare internal audit company. We are three years into significant trasnformation of our IA shops. Both our risk assessment and our audits start by understanding the business objectives and the structure of accountability. Our audits go deeper into measuring the maturity of people, process and technology in place to reach those objectives. All of this preliminary work tells us how vulnerable we are to any risk. That information has been in high demand. We are working to standardize it. However when we started a good portion of our auditors can not effectively assess that way. Some left, others became specialists. We are not likely to become obsolete.
http://auditjournal.wordpress.com/
Rick,
Excellent article and excellent comment from David Buck.
My view is that the role of internal audit will evolve away from the passivity it now characterizes it. Not because the internal auditors are leading the charge, but because the politicians in Washington and the crooks in Wall Street will force it on those who hire us. The politicians with their simple minded populism, and the crooks with the audacity of their schemes, which can not be hidden anymore in today’s hyper media environment.
The current circus we are seeing may be the most effective way of bringing change to internal audit, even though its messy and inefficient. The reason for my view? The auditing field is a child of crisis, fraud, lies, arm twisting, threats, black mail, forgery and broken promises. In the absence of these, auditors and their employers are at ease and see no reason to change anything. After someone else finds a problem as with Enron or Mr. Madoff, then “new” ideas come to the table to “strengthen” auditor’s roles and “professionalism.” The day when internal auditors have some form of insurance or can be bonded against dismissal due to arbitrary decisions from their superiors (those they audit) will be the day, in my opinion, when some level of real independence comes into play and the “Dumb” auditor ceases to be dumb. But, of course no one is likely to talk about this sort of thing in the US Senate or to propose it in a PwC report.
Change is coming, there will be more audit, risk and compliance work, specially as socialism creeps into the economy and more regulations and centrally planned bureaucratic programs come into play. Big brother needs folks with expertise in managing “controls….”