2013

You can tell a lot about a person’s character by the way they respond to a setback. I often comment in this blog on best practices and technical issues relating to internal audit. Today, I offer my thoughts on an issue of broader interest — perseverance. I can’t tell you how many people I’ve known over the years who have suffered a setback and never recovered. They just couldn’t get over that hurdle and get on with their professional or even personal lives.

In my career, I can recall at least three times when I dearly wanted a promotion or an assignment, and didn’t get it.…

In my recent blog on the uptrend in compliance audits, I wrote that internal audit should be risk-centric, meaning that our focus as auditors should evolve to align with prevailing risks and the concerns of our stakeholders. One risk getting a lot of attention these days from regulators and the media is the quality of external audits.

Wall Street Journal Senior Editor Emily Chasan reports in her Sept. 13 CFO Journal blog that external audits are headed for a new era of disclosure. The U.S. Public Company Accounting Oversight Board (PCAOB) is drafting new auditor identification rules to pierce the veil of anonymity that created the opportunity for some individuals to perpetrate fraud.…

In my role as the Global CEO of The IIA, I have the great privilege of traveling and meeting people in different sectors and industries from all over the world. Today I embark on a journey to Africa, where I will address the national conference of IIA–Zimbabwe and assist in various programs at IIA–South Africa, among other things. I’d like to dedicate this blog to our colleagues in Africa, who have every reason to be proud of how far the profession has come in the last 10 years alone.

The story of the past decade has been remarkable. As IIA 2012-2013 Global Chairman Phil Tarling reported on his visit to Africa last year, the internal audit profession is thriving in almost every country on the continent.…

As I have commented often in this blog, one of the remarkable attributes of our profession has been our ability to adapt our coverage to address the emerging risks facing our organizations. Whether it was Y2K risks in the late 1990s, Sarbanes-Oxley compliance in the mid-2000s, or cost reduction and containment at the outset of the global financial crisis, we have repeatedly refocused coverage to address the most critical risks facing our organizations.

When The IIA established The Audit Executive Center (Center) in 2009, it began to closely monitor key trends in the profession and communicate them via semi-annual reports to chief audit executives.…

The guidance I provide most often to internal auditors is to “follow the risk.” It’s easy for internal auditors to go through our own process of assessing risk in an organization and auditing against those risks. But if we are focused on the wrong risks — that is, risks that are different from the ones senior management and the board are worried about — then I think we ought to ask ourselves why.

I’m not saying that you should take management’s assessment of the right risks as gospel. I’m saying that if you’ve compiled a list of things that are keeping your stakeholders awake at night, and that’s not what they say is keeping them awake at night, then you need to be able to speak to why.…

Anyone who has spent much time as an internal auditor has inevitably generated audit results that created friction or tension with those whose areas of responsibility were audited. Sometimes, even the most professionally executed internal audit with the most constructively written report can land with a huge thud. The results of our reports often are used as the basis for evaluating management performance. Unfavorable results have been known to cost executives a bonus, a promotion, or even their job. Adverse audits can damage relationships. Call it a “broken fence.”

It is practically impossible to avoid occasionally breaking fences in our line of work.…

With attention comes attention. Internal audit has been looking to elevate its “seat at the table” for as long as I can recall. And, in 2013, internal audit is being given that seat more and more as a result of regulatory intervention. Internal audit is getting attention.

As you have likely noticed, internal audit is increasingly finding itself on the radar of regulators around the world, particularly those overseeing financial services. We saw this in the U.S. Federal Reserve Guidance that came out earlier this year. And, in response to concerns being raised by financial services regulators in The U.K., The Chartered Institute of Internal Auditors published Effective Internal Audit in the Financial Services Sector: Recommendations From the Committee on Internal Audit Guidance for Financial Services.…

One of the things I enjoy most about social media is its ability to stimulate passionate and seemingly endless debates over the most insignificant topics. For many, these debates take place on Facebook or Twitter. For internal auditors, LinkedIn tends to be the platform of choice. For the past few days, internal auditors and others have been chewing on one particular LinkedIn post like a “dog with a bone.”

It all started about two weeks ago with the following post to The IIA’s Official Global Group:

“Should the internal audit profession be the preserve of chartered accountants only? Or should it be opened up to people with diverse professional backgrounds?”…

One of the most important things internal auditors can do to meet stakeholder expectations is to ensure internal audit priorities align with those of the board and executive management. Risks that “keep our stakeholders up at night” also should be of concern to us.

If that sounds like common sense, consider that Thomson Reuters’ survey of internal auditors, The State of Internal Audit 2013 (PDF), found that while internal auditors are focusing on assurance of internal processes and IT risk, boards are more interested in governance, strategy, and strategic-level risk management.

If your internal audit function is stuck in the past, you risk becoming irrelevant or missing the real risks to your organization.…

Recent risk-management failures in Washington, D.C., have reflected what happens when an organization with so many risks associated with the achievement of its mission fails to anticipate and manage those issues effectively.

The consequences can be dire. Loss of public confidence and widespread reputational damage can be devastating at any level of government, but especially when it occurs on a national or international scale.

Government auditors play a central role in fostering trust. Without them, citizens would lack credible insight into the soundness of the many inner workings of government. The professionals who audit federal, state, and local governments or other public entities must cope daily with career-threatening political risks from which private-sector internal auditors are largely immune.…