• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
The Current State of Internal AuditingA personal perspective and assessmentI. Introduction
 Norman Marks and Jay R. Taylor have been practitioners and thought leaders in theinternal auditing profession for many years. In this article, they bring their combinedexperience and perspectives, as well as the results of their very broad networking withother leaders around the globe, to assess the current state of internal auditing and sharetheir views on where the practice should be heading. While both have senior positionswithin their organizations, and are very active within the IIA and ISACA, the viewsexpressed are theirs and theirs alone.In this article, Jay and Norman review high-level issues such as standard-setting andleadership of the profession, and where internal auditing should report. They thenconsider each major aspect of internal auditing (such as audit planning and risk assessment; performance of individual audits; staffing and resources; the use of technology; fraud and investigations; the quality of audit reporting and other communications; and value-add consulting and other services). The authors discuss howinternal auditing has improved and where opportunities for enhanced performance can befound in each area.
II. The State of the Profession
Are we one profession, two, or even more?While there are others (such as the Board of Environmental, Health & SafetyCompliance, which offers a valuable certification for EH&S auditors), there are twodominant organizations for internal auditors: the Institute of Internal Auditors (IIA) andISACA (formerly known as the Information Systems Audit and Control Association).We are, in truth, a
 single
profession – but unfortunately we have two organizations that profess to represent us and provide professional standards. While there have beenattempts in the past to reconcile and agree on common standards, the fact is there are twosets.We agree in principle with the ISACA statement that, “The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits requirestandards that apply specifically to IS auditing.” But many of us are both CertifiedInternal Auditors (CIA) and Certified Information System Auditors (CISA), and areconfused as to how we determine where one set of professional standards starts and endsversus the other set. How can we, for example, realistically separate a business functioninto the automated portion versus the non-automated portion when trying to seamlesslyevaluate controls within a single process from end-to-end? The truth is we cannot andshould not abdicate the evaluation of all technology-related areas to IT auditors. Thereshould only ever be one internal auditing department at any organization and IT auditorsare members of that department. Just as it makes no sense to us to have two peoplemaking a single evaluation of controls, it also makes no sense to have two potentiallycompeting and conflicting standard-setting bodies for a single profession. We hope that1
 
time and common sense will enable leaders within ISACA and IIA to move towards acombined, authoritative set of standards. Initial areas of focus should include a single setof standards around such things as the role and purpose of internal auditing within theorganization, audit planning, risk assessment, documenting the work, reporting, and other areas where professionals see commonality. We certainly have no problem with theexistence of two professional organizations, with ISACA taking the lead on technical ITguidance, certifications, and training. However, until there is a recognition that we are infact one profession, the wasteful and duplicative efforts of the two organizations willlikely continue. New thinking is needed to rationalize the domains of the twoorganizations.An interesting question is whether we are considered a profession by those that matter:regulators, boards, and those responsible for governance and risk managementframeworks. The good news is that major progress has been made around the world in thelast decade. Although internal auditing still has a long way to go if it is to be consideredin the same league as external auditing, the IIA has been taking the lead in reaching out tointernational governance, regulatory, and governmental organizations with their advocacy programs to obtain the professional recognition needed.What is internal auditing?The IIA says that:“Internal auditing is an independent, objective assurance and consulting activitydesigned to add value and improve an organization's operations. It helps anorganization accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk management, control,and governance processes.”This definition was crafted in an atmosphere of controversy over several of its terms(such as the removal of the prior statement that internal audit was ‘within theorganization’ in recognition of the possibility for outsourcing) in 1999. We are now tenyears on and it has aged well. While there are still a number of voluble individuals whodisagree that auditors should perform consulting activities, they are in the minority.Fundamentally, internal auditing exists to provide “assurance” to senior management andthe audit committee that certain things are working effectively as intended: theorganization’s governance, risk management, and related internal control systems and processes.Deloitte & Touche (principle #9 in
 A Risk Intelligent Enterprise
 published in 2009) states“…certain functions (e.g., internal audit, risk management, compliance, etc.) provideobjective assurance as well as monitor and report on the effectiveness of anorganization’s risk program to governing bodies and executive management”. A keyresponsibility is to provide “comfort”, which is essentially providing reasonableassurance that the organization’s risk management and internal control processes operateeffectively - thereby helping the executive team and board members sleep at night.2
 
Building on this expectation, Tim Leech, a respected internal auditor and blogger for theIIA, wrote in April 2009 that internal auditors have one primary reason for being:ensuring that “senior management and the company’s directors are fully apprised of theorganization’s current residual risk status”. In other words, audits should not focus solelyon assessing the quality of the controls, but instead address the quality of risk management and the health of the internal controls relied upon to manage risk. It is the job of senior management and the board to be aware of, and continually monitor theacceptability of, local or operating management’s residual risk acceptance decisions. Toooften internal auditors determine what is “acceptable”; this is not their role. It is theresponsibility of the board to set organizational risk tolerance, management to operatewithin that level, and internal audit to provide assurance that the key risks are beingmanaged (through the operation of internal controls) within the tolerances established bythe board.The IIA definition was advanced thinking for its time and internal auditors are stillwrestling with how they can provide assurance over not only the system of internalcontrols for the organization, but also its risk management and governance processes. TheIIA has been producing guidance and related training on the topics of auditinggovernance and risk management, but even ten years after the definition was approvedfew are performing audits of those areas and providing overall assurance to the board andexecutive management. We support the continued development of practice advisories, practice guides, training and other information to help the profession ‘catch up’ with theten-year old requirement to audit governance and risk management. Perhaps additionalmotivation to address risk management and governance objectives will be driven byexternal quality assurance reviewers who understand and apply the definition of internalauditing.In fact, too many internal audit functions remain focused on performing individual auditsrather than providing any level of overall assurance – even on internal control. Based onstudies over the last few years and our personal experiences, only about 50% of internalaudit departments routinely include an overall assessment of the quality of risk management and internal controls in their audit reports. While this is disappointing, it iseven more so that very few chief audit executives (CAEs) provide their board andexecutive management with an overall assessment of the organization’s overall risk management and internal controls processes. We believe this will change, if only tocomply with the increased tendency for international governance frameworks (many of which are mandatory, such as in the U.K. and South Africa) to require a formalassessment by internal audit of risk management and internal controls. We understandthat the new King Code III in South Africa will even require that the internal auditassessment be included in the annual report to the shareholders.One interesting issue related to the definition of internal auditing and related (IIA)standards is the split (approximately 50:50) between internal audit functions in the U.S.that test internal controls over financial reporting (for Sarbanes-Oxley section 404compliance, “SOX”) on behalf of management and those that limit their involvement togeneral oversight and reviewing the testing that is performed by management (or aseparate financial compliance group, or similar). The argument is between those who believe that SOX testing is a value-add service to management and addresses the more3
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...