A New Era for Internal Auditors

Through training and certification, internal auditors can help their organizations evaluate and measure internal controls to maintain a healthy existence. MICHAEL BROZZETTI, CIA, CISA, CGEIT PRESIDENT BOUNDLESS LLC The core of every internal control system is the integrity of its people, processes, and technologies. There is little debate that the U.S. financial crisis, caused by concurrent system failures, has had a global economic and political impact. In the wake of today’s corporate scandals, bankruptcies, media-frenzied bailouts, and the financial market meltdown, light is once again being shed on the criticality of system risk and control over processes and technologies. However, more scrutiny is starting to be placed on the people who are responsible for governing and managing these systems. Because people are the most vital part of any system environment, it is imperative to have the right people — especially qualified internal auditors — in the right positions performing the right activities. INTERNAL AUDITING AS THE CORPORATE CONSCIENCE “Risk Governance is about three things: understanding the limits of acceptable risk, providing confidence and guidance to management, and anticipating events to set yourself up for success,”said Admiral William J. Fallon (United States Navy, Retired), co-chair of the Blue Ribbon Commission on Risk Governance, in a Commission report, Balancing Risk and Reward. In today’s economic climate, the concept of governance and risk management must evolve from mere written principles into robust practices within board and management processes. The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) defines the role of internal auditing in governance in Standard 2110 – Governance: “The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Communicating risk and control information to appropriate areas of the organization. Coordinating the activities of and communicating information among the board, external and internal auditors, and management. With respect to ethics, the internal audit function is generally expected to serve as the corporate conscience. Therefore, the posture of the internal audit function must be such that it can influence the corporate “brain,” which encompasses members of the board and management who are the keepers of the organization (i.e., “body”) and trusted guardians of its well-being. As the corporate conscience, internal auditing must be prepared to have open, candid, and constructive dialogues with their boards and management to not only comply with the Standards, but also to balance the scale between the organization’s financial and ethical performance. One of the more sensitive challenges internal audit executives are confronting is how to bring transparency to the board and management’s personal values, which are an essential part in establishing the integrity and core values of an enterprise. While the public sector continues to bring board and management transparency to the forefront of the reform agenda, there will likely be more focus on personal transparency among board members and management. The internal audit activity should recognize and consider this “inner” transparency when assessing governance structures and processes, and promoting appropriate ethics and values within the organization. PREPARING FOR THE CHALLENGE

This article was originally published in the November 2009 issue of IIA Insight.

Internal auditors have an important role and must be educated and trained to effectively carry out their responsibilities. An educated and skilled auditor should be able to filter out the noise and sift down to what information is relevant, reliable, and sufficient to support the reasoning for timely decisions and actions. The new generation of internal audit professionals must strive to become as wise as the board, as savvy as management, as intelligent as the lawyers, as diligent as the accountants, and as precise as the statisticians. Most notably, internal auditors must exercise fair and ethical judgment. Historically, there have not been regulatory requirements for internal auditing standards or certification requirements for its professionals. At this time, it is unlikely that a regulatory rule would enforce definitive quality or certification standards; however, it is critical that education and training programs are implemented to improve the effectiveness of the internal audit function. These programs will improve the capabilities of the company’s internal watchdogs to help identify and respond to risks that threaten the health and vitality of the organization and its economic ecosystem. Although there are a variety of audit-related certifications available, some are more notable than others. For example, The IIA’s Certified Internal Auditor (CIA) designation, which has been earned by approximately 80,000 internal auditors worldwide, is The Institute’s flagship certification and the standard by which individuals demonstrate their overall competence and professionalism in internal auditing. While other certifications touch on specific areas of specialization, the CIA certification covers the broader range of knowledge that internal auditors need to know. “Becoming a CIA enhances your overall skills in internal auditing, establishes your credentials, and demonstrates your commitment to the internal audit profession,” says Angie Woodward, CIA, CCSA, CGAP, CFSA, IIA director of certification. “Even for individuals who are not planning to stay in internal auditing long term, earning the CIA can still add value to their careers by preparing them to meet a variety of management challenges.” In addition to the CIA, The IIA offers three specialized certifications: Certified Government Auditing Professional (CGAP). This designation demonstrates an individual’s knowledge of the unique features of public-sector auditing — fund accounting, grants, legislative oversight, and confidentiality rights. The program’s broad scope emphasizes the auditor’s role in strengthening accountability to the public and improving government services. Certified Financial Services Auditor (CFSA). The CFSA measures an individual’s knowledge of, and proficiency in, audit principles and practices within the banking, insurance, and securities financial services industries. Certification in Control Self-Assessment (CCSA). This certification is designed for practitioners of control self-assessment (CSA). Gaining the required knowledge of areas such as risk and control models — often considered the realm of auditors only — exposes CSA practitioners to concepts that are vital in effectively using CSA to help clients achieve their objectives. Other specialized certification programs also are available to internal auditors. The Association of Certified Fraud Examiners’ (ACFEs’) Certified Fraud Examiner (CFE) credential denotes proven expertise in fraud prevention, detection, and deterrence. According to ACFE, CFEs have a unique set of skills that combine knowledge of complex financial transactions with an understanding of methods, law, and how to resolve allegations of fraud. Fraud examiners also are trained to understand not only how fraud occurs, but also why it occurs. Approximately 20,000 anti-fraud professionals have obtained their CFE credential. The Information Systems Audit and Control Association (ISACA) offers the Certified Information Systems Auditor (CISA) certification, which is a globally recognized achievement for those who control, monitor, and assess an

This article was originally published in the November 2009 issue of IIA Insight.

organization’s IT and business systems. More than 70,000 professionals have earned the CISA since its inception in 1978. Although internal audit certification currently is not mandatory, audit-related acronyms are starting to find their way into the boardroom to help directors and management set standards to measure the competency and qualifications of those professionals responsible for safeguarding the corporate conscience. LOOKING TO THE FUTURE While we continue to endure the challenges of these tough economic times, it is important to recognize that government regulation will cause various degrees of change to governance and internal control systems. Those organizations that recognize this will not only be prepared to respond to these changes, but also will be better positioned to sustain focus on strategic operations that create value for stakeholders. As companies embrace this ideology, we will continue to see the trend of increased audit-related certification as a means for organizations to evaluate and measure internal control excellence and maintain a healthy existence. Michael Brozzetti, CIA, CISA, CGEIT, is president of Boundless LLC, a Philadelphia-based firm specializing in applying audit, compliance, and forensic methods to enhance the overall health and well-being of organizations. He is a member of the IIA–Philadelphia chapter. Learn more about Michael at www.internal-audit-training.com

This article was originally published in the November 2009 issue of IIA Insight.