As 2014 draws to a close, I am reflecting on the events that will have a lasting effect on our profession. Each year, various news reports hold clues about emerging risks and future trends in internal auditing. This year, five headlines in particular stand out because they mark events that could change our path forward for the foreseeable future.
So, here is my list of the five headlines from 2014 that are most likely to shape the future of internal auditing. Each of these stories holds important lessons for us all.
As I pointed out in a recent blog post, changes to rules regarding revenue recognition — “Revenue from Contracts with Customers” — will soon replace more than 200 pronouncements from both the U.S. Financial Accounting Standards Board and the International Accounting Standards Board, and they will cause sweeping changes in accounting practices in a number of industries.
Implications: Internal auditors know that when processes undergo change, control breakdowns are likely to occur. Revenue-recognition issues rank among the most common causes of restatements of financial statements even when the rules are not undergoing sweeping change, so internal auditors should be prepared to offer assurance regarding whether or not the new rules are being implemented appropriately. Companies in software development, telecommunications, real estate, and asset management will likely see a major overhaul of accounting methods and systems, but all audit executives should become fluent in the new requirements. If you haven’t included adequate coverage of revenue recognition in your audit plans, your company might be in next year’s headlines for the wrong reasons.
Cyberattacks wreaked havoc in 2014, especially among large American retailers. A survey by the Ponemon Institute indicates the average cost of cybercrime for U.S. retail stores more than doubled from 2013 to an annual average of US$8.6 million per company in 2014. Attacks at big-name companies raised serious concerns about the effectiveness of the private sector’s information security. No industry is immune, and during the past few months the largest cyberattack in history was carried out against independent media sites in Hong Kong.
Implications: Retailers are fighting back with the launch of a new Retail Cyber Intelligence Sharing Center (R-CISC). But despite the spotlight on cybercrime, many companies are not well-prepared. According to a 2014 survey (PDF) by Protiviti, there has been a significant year-over-year jump in the number of organizations without a formal documented crisis-response plan. One in three companies do not have a written information security policy, and more than 40 percent lack a data-encryption policy. One-fourth don’t have acceptable use or record-retention/destruction policies.
Internal auditors can play a number of important roles in battling cybercrime, for example, assessing whether controls and policies are in place, verifying that the organization’s incident response plans are robust, ensuring compliance with changing regulations/legislation pertaining to cybersecurity, and verifying that a breach notification plan is in place.
When federal whistleblower rules were enacted, it was understood that even internal auditors could be eligible for whistleblower awards under certain conditions. In 2014, we saw the first payout ever made to an employee who performs an audit or compliance function. The U.S. Securities and Exchange Commission (SEC) has a valid need to ensure that appropriate action is taken whenever fraud or corruption is exposed in a publicly traded company. And, according to the SEC, the individual who received the US$300,000 payout in this precedent-making case followed all the rules, including giving the company at least 120 days to adequately address the problem before reporting it to outside authorities.
Implications: Many details and identities have been redacted to protect the parties involved, but this whistleblower case should serve as a stark reminder of the important safety net provided through the Three Lines of Defense. Risk-based controls should have been in place to prevent such acts from happening in the first place (the first line of defense). Internal monitoring and oversight should have detected any breakdown in controls (the second line). And, internal audit should have been able to successfully report the issue directly to the board (the third line). No matter how you feel about the reward money, one thing is crystal clear: When an internal auditor — or anyone else in an organization — feels there is no other option than to blow the whistle, all three lines of defense have failed.
During a speech at The IIA’s General Audit Management Conference in Orlando, Fla., U.S. Public Company Accounting Oversight Board (PCAOB) member Jeanette Franzel stated, “We are currently in a ‘perfect storm’ in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain.” The PCAOB is adopting a “get tough” attitude toward internal control issues, and Franzel acknowledged that many companies are experiencing changes in their external audit firms’ approaches as a result of PCAOB inspections and the recent guidance in Audit Practice Alert No. 11.
Implications: Many audit executives believe that an increasing burden may be placed on internal audit resources as an indirect result of new PCAOB requirements for external auditors. This is the time of year that many internal audit departments undertake annual planning and budgeting tasks. If you have not yet talked with your external auditors about their expectations of internal audit during the coming year, it may be past time to schedule a meeting.
Getting a job as a CAE might be more difficult for career internal auditors than most of us would have imagined only a few years ago. According to the 2014 Pulse of the Profession report from The IIA’s Audit Executive Center, 42 percent of CAEs in North America held a position outside of internal audit immediately before becoming CAE. There are probably numerous reasons for this trend, but a recent poll of audit committee members by KPMG’s Audit Committee Institute provides an unsettling one: 82 percent of audit committee members believe internal audit’s role/responsibilities should extend beyond the adequacy of financial reporting and controls to include other major risks and challenges facing the organization; yet, only half of the audit committee members stated they believe internal audit currently has the skills and resources to be effective in the role they envision.
Implications: As I pointed out in a blog post last April, change is never easy, and rapid changes tend to render irrelevant the people who cannot adapt. If half of our audit committee members don’t think we have the skills to get the job done, it shouldn’t be a surprise that 42 percent of new CAEs are coming from outside the profession. We are at a point where we need to correct misperceptions and demonstrate that we can get the job done, regardless of the type of risks our organizations face. That’s because, at organizations where internal audit is not meeting expectations, changes will be made. And those changes may be hard to swallow.
Much can be learned from the headlines of 2014 and their impact on the changing role of internal audit. What other events or stories from 2014 do you see impacting the internal audit profession? As always, I welcome your thoughts.