The Current State of Internal Auditing A personal perspective and assessment I. Introduction Norman Marks and Jay R. Taylor have been practitioners and thought leaders in the internal auditing profession for many years. In this article, they bring their combined experience and perspectives, as well as the results of their very broad networking with other leaders around the globe, to assess the current state of internal auditing and share their views on where the practice should be heading. While both have senior positions within their organizations, and are very active within the IIA and ISACA, the views expressed are theirs and theirs alone. In this article, Jay and Norman review high-level issues such as standard-setting and leadership of the profession, and where internal auditing should report. They then consider each major aspect of internal auditing (such as audit planning and risk assessment; performance of individual audits; staffing and resources; the use of technology; fraud and investigations; the quality of audit reporting and other communications; and value-add consulting and other services). The authors discuss how internal auditing has improved and where opportunities for enhanced performance can be found in each area. II. The State of the Profession Are we one profession, two, or even more? While there are others (such as the Board of Environmental, Health & Safety Compliance, which offers a valuable certification for EH&S auditors), there are two dominant organizations for internal auditors: the Institute of Internal Auditors (IIA) and ISACA (formerly known as the Information Systems Audit and Control Association). We are, in truth, a single profession – but unfortunately we have two organizations that profess to represent us and provide professional standards. While there have been attempts in the past to reconcile and agree on common standards, the fact is there are two sets. We agree in principle with the ISACA statement that, “The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing.” But many of us are both Certified Internal Auditors (CIA) and Certified Information System Auditors (CISA), and are confused as to how we determine where one set of professional standards starts and ends versus the other set. How can we, for example, realistically separate a business function into the automated portion versus the non-automated portion when trying to seamlessly evaluate controls within a single process from end-to-end? The truth is we cannot and should not abdicate the evaluation of all technology-related areas to IT auditors. There should only ever be one internal auditing department at any organization and IT auditors are members of that department. Just as it makes no sense to us to have two people making a single evaluation of controls, it also makes no sense to have two potentially competing and conflicting standard-setting bodies for a single profession. We hope that
1
time and common sense will enable leaders within ISACA and IIA to move towards a combined, authoritative set of standards. Initial areas of focus should include a single set of standards around such things as the role and purpose of internal auditing within the organization, audit planning, risk assessment, documenting the work, reporting, and other areas where professionals see commonality. We certainly have no problem with the existence of two professional organizations, with ISACA taking the lead on technical IT guidance, certifications, and training. However, until there is a recognition that we are in fact one profession, the wasteful and duplicative efforts of the two organizations will likely continue. New thinking is needed to rationalize the domains of the two organizations. An interesting question is whether we are considered a profession by those that matter: regulators, boards, and those responsible for governance and risk management frameworks. The good news is that major progress has been made around the world in the last decade. Although internal auditing still has a long way to go if it is to be considered in the same league as external auditing, the IIA has been taking the lead in reaching out to international governance, regulatory, and governmental organizations with their advocacy programs to obtain the professional recognition needed.
What is internal auditing? The IIA says that: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” This definition was crafted in an atmosphere of controversy over several of its terms (such as the removal of the prior statement that internal audit was ‘within the organization’ in recognition of the possibility for outsourcing) in 1999. We are now ten years on and it has aged well. While there are still a number of voluble individuals who disagree that auditors should perform consulting activities, they are in the minority. Fundamentally, internal auditing exists to provide “assurance” to senior management and the audit committee that certain things are working effectively as intended: the organization’s governance, risk management, and related internal control systems and processes. Deloitte & Touche (principle #9 in A Risk Intelligent Enterprise published in 2009) states “…certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management”. A key responsibility is to provide “comfort”, which is essentially providing reasonable assurance that the organization’s risk management and internal control processes operate effectively - thereby helping the executive team and board members sleep at night.
2
Building on this expectation, Tim Leech, a respected internal auditor and blogger for the IIA, wrote in April 2009 that internal auditors have one primary reason for being: ensuring that “senior management and the company’s directors are fully apprised of the organization’s current residual risk status”. In other words, audits should not focus solely on assessing the quality of the controls, but instead address the quality of risk management and the health of the internal controls relied upon to manage risk. It is the job of senior management and the board to be aware of, and continually monitor the acceptability of, local or operating management’s residual risk acceptance decisions. Too often internal auditors determine what is “acceptable”; this is not their role. It is the responsibility of the board to set organizational risk tolerance, management to operate within that level, and internal audit to provide assurance that the key risks are being managed (through the operation of internal controls) within the tolerances established by the board. The IIA definition was advanced thinking for its time and internal auditors are still wrestling with how they can provide assurance over not only the system of internal controls for the organization, but also its risk management and governance processes. The IIA has been producing guidance and related training on the topics of auditing governance and risk management, but even ten years after the definition was approved few are performing audits of those areas and providing overall assurance to the board and executive management. We support the continued development of practice advisories, practice guides, training and other information to help the profession ‘catch up’ with the ten-year old requirement to audit governance and risk management. Perhaps additional motivation to address risk management and governance objectives will be driven by external quality assurance reviewers who understand and apply the definition of internal auditing. In fact, too many internal audit functions remain focused on performing individual audits rather than providing any level of overall assurance – even on internal control. Based on studies over the last few years and our personal experiences, only about 50% of internal audit departments routinely include an overall assessment of the quality of risk management and internal controls in their audit reports. While this is disappointing, it is even more so that very few chief audit executives (CAEs) provide their board and executive management with an overall assessment of the organization’s overall risk management and internal controls processes. We believe this will change, if only to comply with the increased tendency for international governance frameworks (many of which are mandatory, such as in the U.K. and South Africa) to require a formal assessment by internal audit of risk management and internal controls. We understand that the new King Code III in South Africa will even require that the internal audit assessment be included in the annual report to the shareholders. One interesting issue related to the definition of internal auditing and related (IIA) standards is the split (approximately 50:50) between internal audit functions in the U.S. that test internal controls over financial reporting (for Sarbanes-Oxley section 404 compliance, “SOX”) on behalf of management and those that limit their involvement to general oversight and reviewing the testing that is performed by management (or a separate financial compliance group, or similar). The argument is between those who believe that SOX testing is a value-add service to management and addresses the more
3
significant risks to the organization, and those who believe that SOX testing is a management responsibility. The latter argue that management should periodically verify that their controls are functioning adequately to provide a basis for their assertion in connection with financial reporting, while the internal auditors should focus on operational auditing. But shouldn’t internal auditors provide assurance on all the major risks to the organization? Does it really make sense to perform no work on financial reporting risks? Those of us with longer memories can recall the pre-SOX days. A review of the 2003 IIA GAIN survey discloses that rather than focusing on operational auditing, the average internal audit function (across the more than 800 internal audit functions responding to the survey) spent a large portion of their work auditing financial controls! While operational auditing represented only 32% of audit time, assessing the adequacy of internal accounting controls was a regular activity for 82% of the organizations in the survey. Perhaps SOX did not put internal auditing as much out of balance as people think. For us, the argument over whether internal audit departments should perform the SOX testing or not is one for each individual company to make - its board, management, and internal auditor. We take no position in this paper, only to say that reason should prevail and the best interests of the organization should decide. As to whether internal audit departments should only perform operational audits, or only financial audits, or only compliance audits, our position is that all of these positions are wrong. Internal audit departments should perform the activities necessary to provide assurance on the governance, risk management, and internal control processes at their organizations – consistent with the definition of internal auditing. They should select specific areas to address based on a risk assessment, identifying the areas of greatest risk to the effectiveness of those processes while leveraging any and all assessment work of others when appropriate. A question that many are asking is whether internal audit failures may have contributed to the corporate risk management and governance failures that led to the current global economic crisis1. Our view is that the answer depends on a number of factors. We assume, first that the internal audit charter is consistent with the IIA’s definition of internal auditing, where internal audit provides assurance on and contributes to the improvement of the organization’s governance, risk management, and control processes – in other words, the charter directs the CAE to assess the adequacy of governance and risk management processes and practices. If the internal audit charter does not include this requirement, there is another problem: the internal audit activity is not complying with the IIA’s standards. We consider that a major problem. If there were risk management or governance failures, and internal audit had such a charter but either did not audit these areas or was unable to persuade the board and management to make necessary improvements after an audit, then they failed. However, if they performed an audit, found that the governance and risk management processes were reasonably effective, and the failures were due to mistakes in judgment by management, then we would not call that an internal audit failure. Internal audit can only 1
A survey by the Open Compliance and Ethics Group was inconclusive on this point, with about half assigning some measure to internal audit and the rest holding them essentially harmless.
4
assess management’s processes, and there is always a risk that effective processes will fail due to human error. Where should internal auditing report? This is another question that continues to be a “hot topic.” In this regard, IIA Standards state: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.” The IIA’s public position, although not enshrined in the Standards, is that the CAE should report directly to the board (or audit committee) for functional purposes, and administratively to the CEO. Although a large number of CAEs (probably a majority) now report functionally to the chair of the audit committee of the board, the most common administrative relationship continues to be to the CFO. There is a growing body of opinion that the CAE should report directly to the independent chairman of the board (or lead independent director if the CEO is the chairman), both functionally and administratively. The reasons include: o The audit committee of the board is generally focused on financial matters, including financial risks, whereas internal audit needs to provide assurance on the management of strategic, operational, and compliance risks in addition to financial concerns. The downside of reporting to the audit committee is that internal audit may be asked to limit the level and extent of non-financial assurance provided the organization. This is especially a concern in organizations with limited or declining internal audit budgets. o Internal audit should provide objective assurance to the board on governance, risk management, and internal control. This requires a level of independence from management that is not achieved when management is able, through its ability to control budgets and assess the performance (and set the compensation) of the internal auditor (even when subject to approval by the board), to exert significant influence over the audit work performed. We agree the question should be studied further. Boards will have to be persuaded that the role of internal audit is to provide them (primarily) and executive management (secondarily) assurance on governance, risk management, and control. We look to the IIA to continue their advocacy efforts to change this from an aspiration to a reality. Do we have a Seat at the Table? Do we get, within the company, the respect we deserve? Are we part of the senior leadership team or a mere observer? Have we earned and do we have the ability to effectively influence our organization to change?
5
Whether, as some assert, it is due to SOX and the critical contribution made by internal audit to management’s assessment of internal control over financial reporting or whether it is due to the continued efforts of practitioners and the IIA, the standing of internal auditors within the business world has significantly improved over the last ten years: o While ten years ago it was common for internal audit to be controlled by financial management, it is now unusual for the CAE not to have strong support outlined in an internal audit charter, or not report functionally to the board (or audit committee) and have direct access to its members. o In most cases, the audit committee must concur with the hiring or termination of the CAE. o At many organizations, the CAE has been a major force for change. Examples include the establishment of disclosure committees and risk management programs – often run in their initial stages by the CAE. In fact, so many CAEs were being asked to set up and run enterprise risk management programs that the IIA had to provide guidance on which risk management functions internal auditors could and could not perform! We believe that best-in-class CAEs are valued, have the ear not only of the board but of the C-suite executives (CEO, CFO, CIO, and others) and have a major influence for change within the organization. There is a clear trend in this direction, especially as those who are given the opportunity seize it and consistently deliver. III. Audit Planning and Risk Assessment What should the audit plan cover? To be effective, the internal audit plan should cover, over time, all of the significant risks to the organization – including key strategic, operational, financial reporting, and legal/regulatory risks – while leveraging the coverage provided by the organization’s enterprise risk management process2. There has to be sufficient coverage of these risks to allow the CAE to provide the required level of assurance over governance, risk management, and related internal control processes. In the attempt to “get it right”, many internal auditors spend significant time capturing all auditable entities, activities, processes and even systems into something they call an “audit universe” before performing an excruciatingly-detailed risk assessment. Later they find their audit plan doesn’t make sense and has to be tempered with significant business judgment before it becomes usable. Why does this occur? Fundamentally, the auditors did not start their analysis by focusing on business risks to the organization. So what approach should be taken?
2
According to Paisley in their 2009 Best Practices in GRC Convergence: Building a Business Case for GRC Convergence (page 2), “the assurance functions of internal audit, risk management and compliance in most cases do not share business processes, terminology, or a common assurance methodology”. Their recommendation is to develop a discipline of “risk convergence” where governance, risk and compliance are aligned and supported by a standardized technology solution across the enterprise.
6
We feel the key to starting the assessment properly is to begin at the top with a focus on the identification of business risks. This can be difficult to do as it requires a good understanding of the organization’s strategies, business environment (including external activities and conditions affecting the business), applicable laws and regulations, operations, plus intended and actual operating and financial results. Often, internal audit is accused by management of not understanding the business. This may be explained by the fact that, according to the results of the recent PricewaterhouseCoopers’ 2009 State of the Internal Audit Profession Study, about 58% of auditors have five or fewer years of experience – even though the complexity of global business activities, systems and processes have increased significantly in their organizations3. So are internal auditors really equipped to identify the risks that could potentially impact organizational value? Forming good partnerships is one of the keys to gaining this understanding. Like never before, internal audit’s focus must be aligned with priorities in the business to remain relevant4. Static risk models focusing on auditable entities will not produce the appropriate emphasis on enterprise issues or emerging and other risks requiring greater attention. According to the PwC study (page 9), “…successful internal audit departments will be those that maintain alignment with the changing risk profile of their company and the evolving needs and expectations of their key stakeholders”5. Nearly 60% of Fortune 500 respondents to the PwC survey believed the ability to identify emerging risks in the coming year is a medium or high concern. Accordingly, best practice is to form partnerships with senior leadership and members of the audit committee and have continuing discussions to identify emerging and other important risks. Once these are understood, and the related processes are identified, a universe of significant business risks can be defined to begin a meaningful assessment process. These discussions will go a long way toward defining the universe that should be covered. Focusing on trying to cycle audit coverage through a universe of all possible auditable activities, processes and systems should be avoided in most organizations where resources are limited, and is highly likely in any organization to result in auditing areas that are not the most significant risk areas. Leading practitioners6 assess the effectiveness of management’s risk management process and determine whether it can be relied upon by management – and by internal audit. To be useful, management’s assessment has to be updated timely and regularly, be sufficiently comprehensive and complete, and any risks that are not being mitigated or transferred to others must be clearly articulated for management’s acceptance. 3
As we note in section V, below, the level of experience is improving – but improvements can still be made. 4 IIA Standard 2010 on Planning states, “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization s goals. 5 PwC also suggested that many audit organizations still require a shift in their focus from financial reporting controls to a focus on the sources of risk that impact or destroy shareholder value. We concur with this observation. 6 One of the benefits of assessing and providing assurance over management’s risk management program is that it can be brought up to the level where internal audit can rely on it to identify the significant risks to include in the audit plan.
7
According to PricewaterhouseCoopers’ 2009 State of the Internal Audit Profession Study” (page 29), internal auditors wanting to provide the greatest value should consider providing assurance over the organization’s ERM function. The value comes out of anticipating and monitoring the risks that are truly relevant to the success of the business. PwC indicates that the strategic and business risks that have recently led to breathtakingly rapid drops in shareholder values have caught even the most sophisticated risk management functions by surprise. So providing assurance over the ERM function helps to align internal audit’s efforts to the changing risk profiles and helps management protect shareholder value. Where resources are lean, a strategy of reliance can be developed to integrate the work of other assurance providers into the internal audit assessment. However, care must be taken to ensure that the work of others is reliable and is performed objectively by competent personnel. Where deficiencies in management’s process are observed, internal auditing is wellpositioned to perform a consulting engagement with the purpose of recommending enhancements that, once implemented, will allow senior management and the board to rely on the process in the future. However, where a risk management process does not exist or is immature, internal audit can work with senior management and the board to build an integrated risk management framework for the enterprise with the goal of providing a reliable and complete picture of the organization’s risks that everyone can eventually leverage. How do I keep the audit plan current? These days, an annual or static internal audit plan is no longer adequate to meet the needs of organizations facing a slew of new and increasing business risks. And who isn’t facing a slew of new or increasing strategic, financial, regulatory or operational risks? Today every CAE has to be concerned about the possibility that their plan is quickly becoming stale like the chewing gum under the table. To cope with this kind of environment, professionals are finding ways to periodically reassess their audit plan to ensure it is kept fresh and responsive to organizational needs. An increasing number (although less than half according to PwC’s 2008 State of the Internal Auditing Profession study) of internal audit functions have moved away from annual risk assessments and audit plans to more frequent updates. Unfortunately, most of those have only moved to semi-annual updates and very few have implemented a process described in PwC’s 2009 State of the Internal Audit Profession study as “continuously confirm[ing] or refresh[ing] internal audit risk assessment results ... to steer audit focus on a real-time basis.” A few CAEs have taken an approach we believe excellent: a rolling three or six-month plan, rather than an annual plan that is updated periodically. This enables the CAE to do the right audits at the right time. However, this novel approach may require careful communication and persuasion as it will be new to the board and executive committee. We believe strongly in one change that needs to be made across the profession. One traditional metric for measuring the effectiveness of internal auditing has to be condemned to history books: percentage completion of the annual audit plan. This is an
8
incentive to perform audits of yesterday’s risks, an incentive to waste precious audit resources. Instead, the measurement should be based on whether assurance is being provided over the more significant organizational risks. While techniques for performing periodic reassessments of the audit plan vary among organizations, the leading practice discussed earlier centers on the performance of an assessment of management’s risk assessment process. Having a robust and effective enterprise risk management process that can be integrated with internal audit is the best way to ensure that new and increasing business risks are being considered and addressed. Other techniques for staying on top of the organization’s changing risk profile are also found in practice. For example, many CAEs have assigned managers to areas of the business so they can stay aware of changing risks and bring back almost real-time information that can be assessed and compared against other data points. This is perhaps a best practice. Other CAEs continually scan the internal and external environment for issues potentially impacting their organization. They periodically assemble their internal audit leadership team to discuss the implications of this new information on the audit plan or the strategy for conducting particular audit projects to address these issues. Still other CAEs prefer “MBWA” - management by walking around - attending senior management meetings, visiting major locations and just listening. (Personally, we call this “auditing by walking around”.) Sometimes staff who report to the CAE are delegated the responsibility for developing and nurturing certain networking relationships with others such as the general counsel, the CIO, and other key sources of information. All of these methods can help keep the audit plan fresh. There is no right or wrong answer but the point is to perform some on-going and defined level of work to capture information in an organized manner and assess its importance to the control environment and the audit plan. Some CAEs have taken the approach of setting aside a large portion of their available audit resources (in some cases, as much as 30%) for special projects. These are typically projects that are requested by management or the board in response to an emerging risk or opportunity, but can also be added by the internal audit management team when a risk area is identified that was not in the audit plan. Unfortunately, while these organizations have developed a process for adding audits, they are not always effective in removing audits of yesterday’s risks, or changing the planned scope and approach in response to changes in the nature or extent of the business risk. We believe in audit planning that ensures that all and only significant risks that relate to current or future operations are addressed. In best-practice organizations, we also see more comprehensive, on-going monitoring of key or strategic business risk areas and related controls versus the ad-hoc, “point in time” assessment approach. The goal is almost continuous assurance on certain controls. These audit departments have identified, with senior management assistance, the risks to achieving important business objectives, then identified the combination of manual and automated controls that should be monitored to achieve the targeted level of assurance. While technology is used where feasible, regular checking on manual or administrative controls is also required but is minimized by applying the effort in a focused or targeted manner versus conducting full audit reviews. In this way, a portion of the audit plan can be devoted to continually reviewing those controls most important to management that 9
provide the greatest level of risk management around achieving the organization’s objectives. Further guidance on continuous auditing may be found on The IIA’s website within its GTAG series while insight regarding continuous risk and controls assurance (CRCA) may be found in SAP’s solutions for GRC7. It goes without saying that on-going monitoring of risk will add no value unless there is sufficient flexibility in the internal audit plan to deal with them. Gauging internal audit value with a metric that measures the percentage of the annual audit plan completed will only drive CAEs to auditing the risks of yesterday. As indicated earlier, an internal audit plan that is not aligned with management’s risk management process will not be effective - we need to find ways to address the risks of today and tomorrow. During execution of the audit plan, internal auditors should be alert to changing conditions and be responsive where possible to management and board-level requests for assistance including special investigations and control consultations involving strategic initiatives. However, there continues to be debate around whether internal auditors have the skills required to assess strategic initiatives and related risks. According to the January 2009 IIA Global Audit Information Network Knowledge Alert: 2009 Hot Topics for the Internal Audit Profession, nearly half of the survey participants said they had no plans to increase the level of assurance provided on business efforts in response to changes in their organizations’ strategic initiatives. However, IIA Chief Advocacy Officer Dominique Vincenti recommends internal auditors provide assurance by performing risk assessments once the organization decides to enter a new strategic venture. To help internal auditors make the change, Vincenti provides a three-step approach to guide an assessment or evaluation of strategic business initiatives. This approach effectively enables auditors to better support management by “providing new assurance on new risks”. These special projects and requests must be balanced against the need to deliver on the audit plan as approved. Management requests should generally not be taken on by internal audit where they may result in the postponement of assurance reviews in high-risk areas. How should technology risk be covered as part of the overall audit plan? First, we feel that the term, “technology risk” should be stricken from the vocabulary. There is no such thing as “IT risk”, since risk exists only in the context of the impact technology could have on the organization or business operations. It is not some separate evaluation that must be completed. Instead, the risk assessment internal auditors perform around IT should be a sub-set of, and be integrated into, the overall internal audit risk assessment process. The result is a comprehensive audit plan in which applicationrelated risks (including application general controls) are covered seamlessly during endto-end audits of the related business areas. An alternative is to conduct separate audits of different sets of the controls over the end-to-end process, but in a way that ensures that all the controls to address the business risk are addressed in an integrated fashion. For 7
The need for and benefits of a CRCA initiative to internal auditors can be found in a document entitled “A Look into the Future: The Next Evolution of Internal Audit” at http://download.sap.com/solutions/sapbusinessobjects/large/governance-riskcompliance/brochures/index.epx
10
example, separate but coordinated audits might be performed over manual controls in a shared service center in Ireland, automated controls managed by IT application support in India, and data center controls in Canada. Many refer to this approach as “integrated auditing”. Where it makes sense to do so, separate reviews of other aspects of the IT environment including IT processes, infrastructure, and other areas may be performed but must be directly connected to the business risk assessment to be relevant. For example, conducting an audit of a data center makes most sense when the applications running there are critical to the business processes and operations currently included in the overall internal audit plan and are assessed as having a higher risk of impact on the business. Unfortunately, this model is not predominant in the profession yet. According to the March 2009 IIA GAIN 2009 IT Audit Benchmarking Study, only 52.9% of internal audit respondents use an integrated planning approach in which potential IT audit areas are determined as part of the risk assessment process or annual audit planning process performed to determine all audit universe components. In the April 2009 issue of Internal Auditor magazine, authors Anita Helpert and John Lazarine discussed the importance and provide practical steps for “Making Integrated Audits Reality”. In the integrated model, the audits focus simultaneously on an organization’s financial, operational, and IT controls and processes. According to the authors, “integrated audits not only save time and money, they also address true business risks in thoroughly integrated findings” and are more “likely to identify points of exposure” while helping to solve the underlying problems. While our experience is that this approach is the most efficient and effective way to cover technology-related risk, many internal auditors lack the knowledge required to perform appropriate scoping. According to Protiviti’s 2009 Internal Audit Capabilities and Needs Survey (page 2), the area ranked by internal auditors as the one in which they most needed to improve was found within the category of General Technical Knowledge. Specifically, auditors felt they needed a much better understanding of The IIA’s Guide to the Assessment of IT Risk (GAIT) series of publications. The GAIT series describes the relationships among business risks (including risks to the financial statements, the efficiency and effectiveness of operations, and compliance with applicable laws and regulations), key controls at the entity-level and within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Understanding GAIT principles allows the auditor to appropriately scope either IT audits or business process audits with an IT component. We recommend every audit department review a copy of GAIT for Business and IT Risk for use in both the scoping of individual audits and in their 2010 and continuing annual audit planning exercises. Other surveys of the current needs of internal auditors also demonstrate the desire for IT knowledge. For example, the PricewaterhouseCoopers 2009 State of the Internal Audit Profession Study (page 18), revealed a knowledge gap in technology and indicated the IT audit work is not well-shared in most organizations surveyed. Technology-related risks tended to be addressed solely by IT auditors who were often in short supply. The study recommended that special attention be directed toward developing integrated departments whereby technology skills are embedded within the department rather than just being the domain of the IT audit subgroup. We strongly concur with that recommendation. 11
Further, the need to better integrate IT-related risk and controls knowledge within the skills set of every internal auditor has been supported by The Institute of Internal Auditors for years in various publications from their International Advanced Technology Committee and in the 2008 Competency Framework for Internal Auditors. While we feel that a greater level of integration between the work of IT auditors and business auditors is required to be successful, this integration may not be occurring in many organizations. Continuing focus in this area is needed.
Closing thoughts on the audit plan One area where we believe CAEs can do better is to take a step back and consider whether the audit plan indeed addresses all aspects of business risk. For example, are all entity-level risks being considered, including organizational structure, authority and responsibility, governance, ethics, human resource policies and practices, communications and transparency, fraud risk and other such areas? Each of these areas are guided by policies and implemented by processes that internal audit should provide assurance feedback about to the relevant stakeholders. We are pleased that the IIA is in the process of developing practice guides in the areas of auditing governance and the (COSO) control environment. Also, every CAE must find the proper balance in their audit plan between assurance engagements and value-add consulting projects. As discussed in greater detail in Section IX (Value Add Consulting and Other Services), we caution that the desire to assist management with consultative services should not be done at the expense of critical assurance work - - the internal auditor’s primary responsibility. Finally, the audit plan must include a mix of projects with elements of complexity and difficulty to provide staff with opportunities to grow and develop. The existence and availability of challenging work assignments is often cited in employee satisfaction surveys as a key reason for joining or staying with one organization versus another. IV. Use of Technology Frankly, most internal audit departments struggle with the application of technology in their audits. From speaking with other professionals, we observe that the two most important uses of technology currently are to facilitate the management of the audit process (e.g., work paper management) and to conduct certain audit tasks such as documentation and testing8. Additional areas where software can and is being used in internal audit include: •
Risk assessment
•
Audit planning
•
Data analytics
8
E&Y’s 2008 Global Internal Audit Survey reported that workpaper documentation, tracking findings, and reporting were the primary areas where internal audit functions found technology very effective.
12
•
Process and control documentation
•
Automated testing
•
Access control and segregation of duties monitoring
•
Technical IT auditing
•
Self assessment
•
Audit findings and “open issue” management
•
Visualization and reporting
•
Shared “governance, risk and control (GRC)” repositories
Clearly the ability to do more high-quality work using fewer resources is supported by having the right tools and using them effectively By now, most organizations have settled on the tools they need for automating and managing the audit process. Where most of us are behind is in the application of technology to perform our work such as risk assessment, analytical review, continuous monitoring, and sometimes even substantive transaction testing. It was no surprise to us that Protiviti’s 2009 Internal Audit Capabilities and Needs Survey (page 7) indicated the area ranked by internal auditors as the one in which they most needed to improve within the category of “Assessing Audit Process Knowledge” was a tie between “continuous auditing” and “computer-assisted audit techniques (CAATs)”. While this has been talked about and written about for years, the profession still has not fully embraced available technology in a way that is meaningful to their audit objectives. Perhaps we still have not reached a point where all internal auditors are expected to have a certain baseline of technology-related knowledge to be seen as fully-skilled in the profession? The authors believe it is time for this to change. Who among us can name a key process in their organization that is not at least partially automated? And if there is so much automation, why shouldn’t we expect all internal auditors to demonstrate basic proficiency in the knowledge of IT-related risk and controls? According to the PricewaterhouseCoopers 2009 State of the Internal Audit Profession Study (page 17), most internal auditors unfortunately aren’t prepared to audit in an automated environment. The survey reveals that internal auditors are still grappling with a skills gap in technology, particularly in major ERP systems. This is very troubling to the authors, who have for decades utilized computers in conducting their audits. The PwC study indicates (page 16) that internal auditors should apply technology to conduct real-time reviews, escalate issues, and ensure compliance with standards. This includes the need to improve effectiveness by searching for errors or unusual transactions by testing the entire data populations automatically. Training every auditor in appropriate use of the tools and holding them accountable for their application are the foundation critical to their effective use. Even experienced IT auditors may not be familiar with advances in the technology available to audit departments. Examples include:
13
o Business intelligence (BI) solutions9 literally put ‘information at your fingertips’. Used traditionally by financial and operations analysts, these products can be used by internal auditors to run queries and get reports without programming. Some companies, like Cisco, use BI for continuous risk monitoring and for data analytics before starting an audit. Rather than meeting the auditee and asking about their business, Cisco auditors start the meeting by asking about operating trends and data anomalies they have identified using BI o Automated testing products, also called continuous control monitoring10, enable continuous data monitoring and control testing. Traditional CAATs rely on periodic extracts from enterprise data and query and reporting programs. The newer products are executed automatically on a schedule set by the auditor, scanning and monitoring data as frequently as every minute11, and only reporting exceptions or samples for investigation. The auditor identifies the controls to be tested and the procedures to be followed. The products include the workflow for responding to the items reported; maintaining the required audit documentation on the results; and the auditor can assess the health of the tested controls. The solutions typically include dashboards or similar reports so the auditor can see and share the current results of testing o Specialized tools for the IT environment are being developed or enhanced all the time. One product that has exciting possibilities for internal auditors is able to access system logs and monitor transactions for specific events or transactions. Another scans outgoing network traffic to detect leakage of confidential or private data (including intellectual property) Just as monitoring yesterday’s risks adds no value, employing yesterday’s audit and risk monitoring techniques and technologies will not create an efficient internal audit function that provides the level of assurance needed by senior management and the board to effectively manage business risk. The fact that internal auditors are finding technology most effective in performing administrative tasks (such as work paper management and tracking findings) is because, in our opinion, the value of today’s technology is understood by few – a great opportunity for CAEs desiring to make dramatic improvements in their internal audit operations. Our obligation as professionals requires us to become knowledgeable in all of the technologies that will help us become more efficient and effective. Because the work of IT auditors and business auditors must become more integrated to be successful, we must embed technology skills and the use of technology (such as on-demand data analytics using BI) throughout the audit department rather than leaving this within the domain of the IT audit team. V. Staffing and Resources 9
The primary BI vendors include SAP Business Objects, Oracle Hyperion, and IBM Cognos Vendors include ACL, SAP BusinessObjects, Oracle, Oversight, and IDEA 11 Some products do not require data extracts. They monitor the data from within the organization’s ERP, enabling rapid identification and investigation of exceptions 10
14
An internal audit department is only as good as its people – an old adage but highly applicable to the practice of internal auditing. The board and management rely on their business-practical insight; balanced and fair assessments of governance, risk management, and control processes; practical recommendations for improvement; ability to effect change and obtain corrective action; and ability to communicate and influence both management (at all levels) and the board. Over the last few years, progress has been made on a number of fronts when it comes to the quality of individuals in the internal audit function: o Due in part to the improved position of internal auditing within most organizations (our seat at the table, discussed in section II above), the majority of CAEs are considered senior executives. As vice presidents (or better), they command a higher salary and organizations are hiring and retaining more experienced individuals. Companies are, for the most part, no longer looking to promote senior internal auditors or hire managers out of public accounting to be their audit director. Now, they are promoting managers or directors, or hiring partners out of public accounting, to be their vice president of internal audit o While there continues to be a natural progression for accomplished CAEs to be moved into a senior finance or business position, there is more acceptance that the CAE is not necessarily a transitory position. Individuals without audit experience are less likely than in prior years to be brought into internal audit as CAE for a couple of years, and accomplished CAEs are being retained longer and rewarded for the business contribution internal audit is delivering o The improvement at the CAE level has been accompanied by a corresponding improvement in the compensation and experience levels of the balance of the staff12. The greater business experience and practical insight has improved the general level of value-add service provided to the board and management o Training for internal auditors has expanded beyond the technical to include the soft skills of listening and communication. Internal auditors are no longer seen as watchdogs in search of issues; instead, there is an improved awareness that internal audit must work collaboratively (but with objectivity and professional skepticism) with management to improve operations and add value. Internal audit functions evaluate the staff’s proficiency in the soft skill areas and provide training as needed o The number of auditors with specialized skills (such as in information technology or financial reporting) has improved. While there is still, in our opinion, an imbalance in many organizations between those with operational audit or public accounting experience vs. those with information technology skills (of which there are too few), improvements continue
12
Internal audit departments that are performing SOX testing have often hired more junior staff to support that work. However, they are typically not involved in monitoring risks and establishing the scope for audit projects, and are supervised in report development by more experienced auditors.
15
o Almost every organization uses co-sourcing with a professional services provider to complement their staffing, especially where specific technical or language skills or experience is required Prior to the economic crisis, internal audit budgets and staffing levels had generally improved – in part, due to the need to address controls over financial reporting. But, a March 2009 survey of CAEs attending an IIA roundtable reported that: o 53% had experienced budget reductions over the last 12 months o 80% eliminated or reduced co-sourcing support and training o 40% had reduced staffing levels, and the rest were under a hiring freeze The challenge for the next year and beyond will be to provide the necessary internal audit services, which include additional attention to risk management processes and to operational and strategic risks in particular, with a reduced budget. CAEs at the roundtable indicated that one opportunity would be improved use of technology – as discussed earlier. Another challenge will be to extend the scope of internal audit departments’ work to include assurance over governance and risk management processes. Although the IIA’s definition of internal auditing and related standards require assurance over governance and risk management processes in addition to controls, relatively few are meeting that requirement. Doing so will require the acquisition of new skills and experiences, especially where management’s risk management processes are complex or where they are non-existent or immature. VI. Performance of Individual Audits The improved experience and skills in internal audit – as discussed earlier – together with the use of technology, has resulted in a general level of improvement in the quality and value of individual audits. However, we are concerned at the continuing number of auditors at all levels to seek checklists and standard audit programs when assigned a new area to audit. Rather than using the preferred approach (in our opinion) of understanding the business risks and then identifying the controls to include in scope, these auditors are using what somebody else has designed – for a different situation. While locations like Jim Kaplan’s AuditNet are a fantastic source of audit programs, they are what has been considered appropriate to another business at another time. Even when auditors choose the audit program used in the same audit last time, they are not considering that the business, related risks, types and natures of transactions, and the systems and process used may be different. Auditors have the intellect, imagination, skills, and experience to approach every audit with the attitude that the risks to address and the controls to assess may be different from the prior year – or from what is covered in a program obtained off the Internet. The same applies to the tools and techniques that auditors use. Rather than using the same audit approach as last year or as another company, auditors should understand there are very many ways to perform an audit. Just because manual sampling and testing of 16
transactions was effective last time does not mean that using automated techniques or a process audit approach would not be more effective in addressing the key business risks this year. As discussed earlier, technological advances enable internal auditors to change the way they perform audits. Auditors should understand these developments and take advantage of the following when appropriate: o Continuous data and control auditing o Data analytics, including the use of business intelligence tools already used by Finance and other departments o Wikis and other collaboration tools (e.g., for risk assessment, control selfassessment, etc.) o Enterprise risk management or governance, risk and control (GRC) repositories and tools o Enterprise application functionality, including audit functionality and security monitoring o On-line survey tools for quickly collecting and analyzing information or opinions for the audit from diverse groups of people o Specialized tools, especially related to IT security and privacy, such as those that can be used to monitor outgoing network traffic for confidential data leakage (e.g., Cisco Data Privacy, Vontu, etc. ), or those designed to identify IT vulnerabilities (e.g., WebInspect, Qualys, etc.) While advances are being made (for example, roughly half of internal audit departments are making some use of continuous auditing technology), there remains significant room for improvement – in prohibiting blind re-use of audit programs, and in taking advantage of technology to provide an appropriate level of assurance. VII. Fraud and Investigations Advances in technology (e.g., in data analytics, security access monitoring, and continuous data auditing) have also improved internal auditors’ abilities to assist management in the investigation of suspected fraud, and to assess the controls and processes in place to prevent, detect, or deter fraud. One area of improvement has been in management (and internal audit’s) fraud risk assessment processes. While management of few companies actually conduct regular fraud risk assessments, internal audit departments are taking an active consulting role and explaining the need for management to assess the risk of fraud – and not rely totally on fraud risk assessments performed by internal audit. This is reflected in this section from the summary of the IIA’s March 2009 CAE roundtable: “As the financial crisis deepens, new suspicions of fraud have emerged. When asked if their audit plan includes new activities to identify control or fraud weaknesses, most CAEs reported that they have increased their focus on fraud, 17
particularly in areas with recession-related risks. While many have embedded additional fraud testing in their audit plans, others are expanding their scope using automated data mining tools. One CAE said that his organization uses a fraud framework to help clarify its focus. “A few Fortune 100 company CAEs indicated that they are advocating selfassessment activities within the organization’s business units, pushing control and fraud monitoring accountability to operational management. This process, which serves as a continuous monitoring tool, can help shift audit resources from compliance testing to reviewing trends and the effectiveness of the selfassessment process. “By reviewing the results of self-assessment questionnaires, surveys, and checklists, internal auditors can gain valuable information on control weakness trends that could lead to fraudulent activity.” We believe there is still room for improvement. Organizations considered best-in-class require management to perform a fraud risk assessment, which internal audit reviews. Management also has processes and controls in place to prevent or detect fraudulent activity that are subject to periodic audits based on risk. Internal audit may perform additional fraud detection procedures in high risk areas where necessary to provide support (and thereby generate fee savings) the external auditor, or where requested by executive management or the board. VIII. Reporting and other Communications As a profession, we continue to struggle with reporting the results of our audits: o While a majority of departments assign some level of priority or significance to individual audit findings, that is still not universal practice o Too few audit reports include an overall opinion or assessment, the auditors apparently being satisfied with assigning significance to the individual findings. They don’t step back, look at the entire picture, and provide management and the board with their assessment of the overall condition of the organization, process, or risk management activity. This overall opinion is, in our opinion, highly valuable and we are failing to complete the assignment and give full value for our work without it o Audit reports remain focused on whether the controls tested were operating effectively, rather than addressing whether the business risks covered by the controls are managed within organizational tolerances. It is essential that internal auditors shift from a controls focus to a risk focus, consistent with board and management thinking (as recommended by all the CPA firms, such as PWC in their landmark publication Internal Audit 2012, where they said that, “Internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management.”) o Too many audit reports contain what auditors want to say, rather than what management and the board want or need to know. While some leading thinkers 18
have made excellent progress towards clear, concise, and meaningful communications, we continue to see reports with these common failings: o Background information that management already knows such as the size of the organization audited and its management structure o Details on the scope of the audit, sample size, and other data of no value or importance to the executive reader. Audit reports should not be written as if they are evidence, proof that the audit was to standards. They should be written as communication vehicles, with consideration of executive and board members’ limited time and desire for communications that get to the point o Discussion of issues and actions that are addressed by lower levels of management and do not merit the attention of executive management or the board o A reluctance on the part of the auditor to say that the risk management and control processes were, on the whole, effective with no significant issues – and leave it at that. Instead, there is an impression that they have to justify their existence and results by encumbering what should be a simple, short report with pages and pages of information providing no real insight to the executive reader. Instead of looking good, the auditor is actually demonstrating they don’t know how to communicate with top management o Technology has enabled us to improve audit reporting in several ways. Again, some leaders in the profession are taking advantage of these tools, but not enough: o The ability to use information gathered by analytical tools to add context to the report. For example, if there are issues with vendor selection processes, information about purchasing patterns and levels, the number of vendors used and whether there is concentration of purchases, helps the reader understand the significance of the audit findings o Visualization tools, such as Excelsius, enable the graphic representation of results with drill-down capabilities for management to understand related details. For example, if a report discusses a failure to effectively monitor discounts taken, a chart that shows for each geographic region the level of discounts (with detail available on discounts by month or product line) provides management and the board with excellent information to improve their understanding of the significance of the issue and the need for action o Visualization tools can also be used in support of continuous auditing to provide continuous reporting. Dashboards or similar communication techniques can be used to show management and/or the board, on demand, the current health of risks and related controls o Finally, visualization tools can significantly improve the quality of the CAE’s periodic reports to the board, and the presentation of the audit risk assessment and plan 19
o Another area where we believe there is room for improvement is the integration of audit results and assessments into management’s risk management process. Again, some companies have established a process where the risk office receives all audit reports and considers the implications for changing the assessment of related risks. The risk office also takes (or shares) ownership for monitoring completion of remediation. However, this is far from common practice Overall, there have been improvements but it is not a good sign when many audit departments have average report lengths of 5 pages or more – some in double-digits. This is a symptom that the department is using audit reports to document results rather than to communicate to executive management and the board what they need to know. IX. Value-Add Consulting and Other Services At least for most departments impacted by the burden of SOX testing, value-add consulting and other projects took a back seat over the last few years. Internal audit functions dedicated a large part of their time to performing testing for management, and/or working with management to ensure controls over financial reporting were effectively designed and adequately tested. CAEs have been rebalancing their audit plan over the last couple of years, with SOX work reduced significantly in most cases. CAEs have turned their attention back to what they generally term ‘operational auditing’, which is probably better described as audits that don’t focus solely on financial reporting risks. They include compliance audits as well as audits of the effectiveness and efficiency of operations. In many cases, ‘operational audits’ also include targeted audits of vendor compliance, healthcare cost management, and other activities that are generally considered as consulting rather than assurance. The ability to perform value-add consulting services has been significantly improved by advances in technology, notably in data analytics and continuous auditing tools. Many CAEs are very proud of their value-add activities, which have been met with acclaim and support from their management and board. After all, they are generating millions of dollars of cost savings, risk reduction, of revenue opportunities. We also commend these achievements – as long as they are not at the expense of providing critical assurance services. We believe that a CAE’s first duty is to provide assurance over all significant risks and related controls (including those related to external and management financial reporting). Only then can CAEs afford to provide value-add consulting activities. We literally shudder at the thought that internal audit departments have been focusing attention on generating millions of dollars in value-add services, yet ignoring and allowing through their inattention, ineffective governance and risk management practices to develop or continue without challenge. X. Closing Thoughts
20
Overall, the profession and the practice of internal auditing has seen marked improvement over the last five or so years. o The standing of internal audit has improved, with the CAE frequently having a seat at or near the senior executive table o An increasing number of departments are starting to use continuous auditing techniques o Leading CAEs are updating their audit plans quarterly, with a few moving to rolling three or six-month plans o Technology advancements enable significant improvements in the efficiency and effectiveness of internal auditing, for example in the area of data analytics or data mining However, we believe further improvements can and should be made. o CAEs should provide formal assurance on their organization’s governance, risk management, and related internal control processes o Far more advantage should be taken of the significant improvements in available technology o Continued improvements in addressing IT as part of and not separate from business risk o CAEs need to raise the bar on the level of IT-related risk and control knowledge expected of and held by the non-IT members of the team (business auditors), particularly those aspiring to supervisory or leadership positions within internal audit o We need to become a single internal audit profession, with a single set of standards Jay and Norman welcome your comments at
[email protected] and
[email protected].
21