Traditionally, internal audit was seen as a value protection element in the organization’s system of risk management and controls. It helped organizations protect value through a heavy emphasis on assurance on the effectiveness of financial, compliance and operational risks. However, over the past 30 years, internal audit has undergone a number of transformational changes. The late 1990’s brought greater emphasis on consulting and advice in addition to traditional assurance engagements. In the early 2000’s, The IIA Standards were revised to emphasize risk-based auditing to require internal audit undertake a risk assessment at least annually as part of its audit planning process. The past decade has witnessed the profession expanding the portfolio of risks it addresses to include organizational culture, the environment, sustainability, governance and more.
As the profession has demonstrated its versatility, a widespread shift in expectations has occurred. No longer is internal audit seen as simply a protector of value in many organizations. The IIA’s 2030 vision is one in which “internal audit professionals will be universally recognized as indispensable to protecting and enhancing organizational value.” And, further, in the most recent update to the International Professional Practices Framework (IPPF), The IIA added a mission statement for internal audit that reads, “to enhance and protect organizational value by providing risk-base and objective assurance, advice, and insight.” The task force working on this at the time, purposely placed emphasis on the word “enhance”, placing it before “protect”, due to the importance of this concept.
Some internal audit departments are already there, and others are on a journey to get there. Unfortunately, far too many internal audit departments are content with the role of value protectors. I have begun to refer light-heartedly to these internal audit departments as internal guard-it departments.
Don’t get me wrong. Internal guard-it departments do add value to their organizations. For, organizations cannot grow, prosper and add value for their stakeholders/shareholders if the assets and resources of the organization are unprotected. Without assurance that risks are effectively managed and that controls have been designed and effectively implemented, organizations face greater risks and challenges in achieving their objectives. However, internal guard-it departments are not realizing their full potential, and their focus on hindsight and even insight often fails to help their organizations avoid the hazards that lie ahead. This “protect value” work is viewed by some as baseline work.
Obviously, there is no formal definition for an internal guard-it department. However, I have identified 5 signs that your department might be one:
I recognize that a blog such as this one will elicit a variety of responses in the profession. The objective of my message is not to make anyone feel bad or defensive about their internal audit department. In the end, we must all answer to our stakeholders, and many of them are very comfortable with a more traditional approach to internal audit coverage. However, we should never be content to simply guard our organizations. We should tout our potential to stakeholders as an instrument not only to protect organizational value but to enhance it as well, and encourage CEOs and Audit Committees to tap that opportunity.
In my book Agents of Change: Internal Auditors in an Era of Disruption, I observed:
“Internal auditors used to be derisively referred to as “bean counters.” The classic assurance providers in the profession still count the beans. Trusted advisors, on the other hand, know how to grow, harvest, and take the beans to market. But it is the change agents in the profession who are bold and confident enough to advocate changing the crops from growing beans to growing corn.”