American Center for Government Auditing: A Platform for Guardians of Public Trust
March 30, 20145 Risks That Should Be On the Internal Audit Radar – Now!
April 14, 2014On the surface, opportunities for internal auditors seem to be better than ever, with great prospects for career advancement. We are in a growing field and, because turnover rates are relatively high, new supervisory and management positions are constantly becoming available. As well, internal auditors are able to make important job contacts through their organizations, and many doors are open to us.
But it’s not all good news, and that could be our own fault. We may be doing a disservice to the rising generation of career internal auditors by actually limiting opportunities for advancement, despite our best intentions.
Advancement into audit management is very achievable these days, but getting a job as a chief audit executive (CAE) might be more difficult for career internal auditors than most of us would have imagined only a few years ago. The IIA’s Audit Executive Center just released its 2014 Pulse of the Profession report for North America, and the study found that 42 percent of CAEs in North America held a position outside of internal audit immediately before becoming CAE.
Obviously, there are benefits as well as drawbacks when organizations recruit from outside internal auditing for new audit executives. The new study does a great job of presenting the pros and cons for looking outside the profession to fill CAE positions, and it’s well worth reading for many other reasons. But the survey results also left me wondering why so few members of the internal audit team are considered “front runners” for the top spots in internal auditing.
One of the best ways to understand what’s on the mind of our stakeholders is simply to ask them. I haven’t seen a survey that specifically asks audit committees or senior management why internal auditors are frequently not the first choice for filling CAE vacancies; but KPMG’s Audit Committee Institute recently polled committee members on several related questions.
The results of that survey are unsettling: 82 percent of audit committee members believe internal audit’s role/responsibilities should extend beyond the adequacy of financial reporting and controls to include other major risks and challenges facing the organization. The bad news is that only half of these audit committee members believe internal audit currently has the skills and resources to be effective in the role they envision.
These facts add up to a big problem for internal auditors. If half of our audit committee members don’t think we have the skills to get the job done, it shouldn’t be a surprise that 42 percent of new CAEs are coming from outside the profession.
Change is never easy, and rapid changes tend to render irrelevant the people who cannot adapt. We are at a point where we need to correct misperceptions and demonstrate that we can get the job done, regardless of the type of risks our organizations face. That’s because, at organizations where internal audit is not meeting expectations, changes will be made. And those changes may be hard to swallow.
We also need to plan for the future and ensure we are ready for the next strategic realignment of internal auditing, whatever that realignment might bring. I believe that one important way to do this is to get back to the basics. The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) requires that we perform risk-based planning and that we have sufficient, competent resources to address a full range of risks, including:
- Achievement of the organization’s strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Safeguarding of assets.
- Compliance with laws, regulations, policies, procedures, and contracts.
If we truly are addressing and tackling each of these risks, there should be few questions about our ability and skills to take on the roles our stakeholders envision for us.
As the internal audit profession matures, it constantly swings from a focus on financial auditing to one on operational auditing. Over time, priorities change, and we are called upon to adapt — and to anticipate — our organizations’ evolving goals and objectives. A decade ago, with the implementation of the U.S. Sarbanes-Oxley Act of 2002, there was a rapid shift toward financial auditing. Today, the pendulum is shifting back toward operational and compliance audits as well as assurance on the effectiveness of risk management; and too many audit committees are seriously questioning whether we have the capabilities to make this transition.
Internal audit groups that operate in conformance with the Standards regularly develop risk-based internal audit plans that take into consideration input from key stakeholders. For these internal audit groups, there should rarely be questions about internal auditors’ capabilities and effectiveness.
In our rush to get the job done, it can be tempting to overlook the basics. However, in the long run, basics such as conformance with professional standards can help ensure we are ready for whatever tomorrow brings. There may be no better way to ensure the success — and the continued promotional opportunities — of the internal auditors who follow in our footsteps.
What are your thoughts on the prospects for rising internal auditors?
I welcome your comments via LinkedIn or Twitter (@rfchambers).