“Key imperatives for the future”
In November 2018, IIA Global President and CEO Richard F. Chambers was
in Amsterdam to participate in an IIA-Netherlands roundtable discussion on key imperatives for internal audit’s future. Audit Magazine talked to him about his vision on the internal audit profession.
What are the key requirements for an effective internal audit function?
“I believe there are several requirements supporting its ascendancy, starting with the imperative that all traded companies should be required to have an internal audit function. If an organization expects investors to have confidence in it, then they ought to know whether the organization has such a function. The absence of internal audit suggests that the organization does not see the value in assuring strong, effective risk management, internal control and governance. Right now, there is no universal requirement to have an internal audit function. Ideally, publicly traded companies should be required to disclose why they do not. Over the past 10 years, we have seen a movement with most larger, publicly traded companies likely to have an internal audit function. The New York Stock Exchange, for instance, requires companies to have an internal audit function. The NASDAQ does not.”
“Furthermore, it is key that the internal audit function reports to the CEO and to the audit committee. Having the right reporting lines is vital to internal audit’s success. This means a functional reporting line to the board and an administrative line to management. Most organizations support and appreciate the value of this dual reporting line. The biggest threat to an effective reporting line is when the chief audit executive reports to a position other than the CEO, such as the CFO. Independence is the cornerstone of internal auditing and anything that threatens this erodes internal audit’s effectiveness and credibility.”
“I also believe that internal audit should be looked at by the audit committee as a resource to assist in its oversight of the external auditors. I am not suggesting that internal auditors should audit external auditors. However, audit committees have an oversight obligation when it comes to the external auditors. Internal auditors can and often do assist in this process — particularly when it comes to assessing whether the external auditors are conforming to the terms of their engagements and whether engagement fees are appropriately calculated and billed. If these responsibilities are delegated by the audit committee to management, the appearance of the auditors’ independence could be compromised.”
“Additionally, internal audit should have a permanent seat at the management table. This is where management is contemplating risks and strategy for the organization, and the CAE should be there. The finance function has the CFO, information technology has the CIO, and risk management has the CRO. But there is often no seat for the CAE. Over nearly a century of internal auditing, the profession has progressed from providing simple assurance on financial reporting to becoming an integral contributor to organizational success. Yet, the CAE is rarely considered a “true” member of the C-suite. An effective internal audit function is recognized as a respected and vital player in good governance. This includes a permanent seat at the management table.”
“Finally, the audit committee must directly oversee the hiring, firing, review and compensation of the CAE. IPPF Standard 1110 explains the importance of the (supervisory) board’s role in protecting internal audit’s impartiality and objectivity. This includes approving an internal audit charter, approving a risk-based internal audit plan, and approving the internal audit budget and resource plan. It also addresses the board’s role in the appointment, removal, and compensation of the CAE. However, this responsibility is too often overlooked or delegated to management. This may be the single biggest threat to internal audit’s independence.”
“First, we need to maintain a laser focus on the horizon. I think we must become much more committed to and capable of identifying emerging risks”
Which future key developments will affect internal audit most?
“I am often asked about the future of internal audit and its role in an organization’s risk management and control structure. As the risk landscape changes and the speed of risk increases, internal auditors must expand their skills and embrace a mindset of being flexible, agile, and open to responding quickly to disruptive threats and emerging risks.”
“I see several imperatives that internal audit must focus on now and in the future. First, we need to maintain a laser focus on the horizon. I think we must become much more committed to and capable of identifying emerging risks. It is no longer enough to, in essence, stand outside, look only at the sky and forecast the weather. There are better techniques (e.g. weather models) that can be used. Auditors should become more like meteorologists, continuously focusing on the horizon and beyond. Risks are changing quickly, sometimes as fast as the weather. We can be a valuable source of risk awareness for the organization.
“I also believe that internal audit should take the offense in the war for talent. An audit department of any size needs to have access to many kinds of expertise. A good example is cyber security. If this is not part of the audit plan and a cyber-security breach occurs, people will rightfully ask the question, “Where were the internal auditors?” So, audit departments either must have the resources on staff, or have access to third-party resources that do. Talent management is key. I think internal audit is particularly vulnerable when an emerging risk creates a lot of damage to the organization. Hence, we need to be adaptive in identifying these risks and making sure we have the talent to address these.”
“I think we also need to sharpen and deploy the best navigation tools. Generally, internal audit departments are not getting any bigger, yet the risks are multiplying exponentially. There is more to look at, but we have limited resources. Internal audit has the ability to multiply its capacity by deploying technology. Data analytics and process mining are being used more and more. Inroads are being made into tomorrow’s tools of the trade, such as robotics, for routine audit tasks and the analysis of evidence via artificial intelligence.”
“We need to be a beacon for transformation in our organizations. We see new business models disrupting existing ones at a record pace. Even established market-leading firms, products, and alliances may suddenly face lethal risks. Innovation is often the only path forward. As internal auditors, we should champion transformation built on innovative thinking and provide stakeholders insight into innovative processes and frameworks. Internal audit should also focus on risks and controls throughout transformation processes.”
“We must be willing to sail toward the storm. It is human instinct to flee from danger, and internal auditors may have a tendency to avoid controversial topics, such as executive compensation, culture and behavior, harassment (gender, ethnicity, etc.). However, looking the other way only compounds risks. Some internal auditors may experience ‘courage deficit’. Internal auditors need to be willing to push on closed doors.”
The five scariest words ‘Where was the internal auditor?’
”Often, at some point following a scandal, this question will come up. It is increasingly raised by regulators, supervisors or management. It turns out that, sometimes, the CAE excludes certain areas from the audit plan because of a courage deficit or by not having the expertise or resources. To make matters worse, some CAEs are not transparent about these decisions. An audit committee should not ask the CAE whether there are enough resources to carry out the audit plan. The real question to be posed to the CAE is: What are the top five risks you are not going to audit because of insufficient resources or knowhow. Internal auditors can audit anything, but they can’t audit everything.”
Where do internal auditors focus most vs. where should they focus?
“I still think we are a little too intensive in our focus on financial and compliance risks. That is a classic but wrong view that we need to counter. Increasingly, our focus is moving from providing information in hindsight (assurance) to providing insight and, more and more, providing foresight (what happens if controls and risks are not being managed). The most lethal risks lie in the future and relate to strategy and business risks and not, per se, to financial reporting. Nevertheless, there is sometimes a tendency to focus on hindsight and spend internal audit time on areas that do not represent the highest risks. It is not only about counting beans, but also growing, harvesting, marketing and forecasting of beans. We must be more knowledgeable than in the past and not be perceived as just the bean counters!”
“We must be more knowledgeable than in the past and not be perceived as just the bean counters!”
Where are we doing well as internal auditors?
“Positive elements that spring to mind include the risk-centric approach we are using and that we steer our resources to exactly those areas and, hence, add most value. Further, we are becoming more proficient with technology, but we certainly must make additional steps both in our audit tools (e.g., data analytics and process mining) and in how technology is used by the company, for example, security risks. Another area where we have made considerable steps is that boards and audit committees have learnt to appreciate our expertise and added value. Having said that, there is ample room to further improve the internal audit function.”
Sometimes it is said that the IPPF standards stand in our way to innovate?
“I think there is a lot of myth over what is in the Standards and what is in the policies of the internal audit department. The IPPF Standards have deliberately been kept ‘lean’ to not unnecessarily encumber audit functions. The Standards have been designed in such a way that they can be applied to audit functions of two or of 2,000 staff. It is often the internal audit policies and procedures that expand on these Standards that may stand in our way. These may have been imposed by ourselves or perhaps by regulators, but these do not go back to the Standards. Standards sometimes may wrongly be used as a scapegoat for not bringing about required change, However, the Standards are not very prescriptive and leave sufficient room to maneuver to ensure that internal audit is prepared for the future.“
Audit departments may have different missions and objectives. Is that an issue or an opportunity?
“I believe the world is incredibly diverse. Sectors of the economy are organized differently in what they do. The corporate sector has different objectives than the not-for-profit sector. I think internal audit should reflect this. I don’t expect to see the same kind of internal audit department in every sector. It is not one size fits all.”
Richard F. Chambers is president and CEO of The IIA global. He has more than four decades of internal audit and association management experience, mostly in leadership positions, including at the U.S. Postal Service, U.S. Army, and PwC.