As I have often commented, the internal audit profession in its early years was focused extensively on the past. Strong internal auditors were the ones with 20/20 hindsight — they could go back in time through skillful use of records and interviews to uncover every mistake, then report each misstep in exacting detail. Back then, we thought we best added value when we helped our organizations recognize mistakes and avoid making them in the future. At most companies, our primary role was to be the hindsight experts.
Hindsight will always be important for internal auditors. Even in the 21st century, we are brought in to assess what happened. When used well, hindsight helps others learn from experience and build expertise. But there are things hindsight cannot tell us. By definition, it can’t predict. Hindsight cannot warn organizations about rapidly evolving legislation, explosive technological growth, mounting risks of cybersecurity breaches, burgeoning economic crises, or the many other changes that we have experienced during the past few decades.
But in today’s relentlessly evolving business environment, hindsight is not enough, and this has fundamentally changed our vision of what is a strong internal auditor. We have advanced to providing real insight into our organizations’ risks, controls, and operations. And this insight is a key element of internal audit’s “value proposition.” Internal auditors and their stakeholders are no longer content with after-the-fact reviews. Instead, we must be at the front end of our organizations’ strategic undertakings, helping with acquisitions, systems redesign, multinational business expansions, and other initiatives that can mean the difference between success and failure for our clients.
The addition of insight to internal audit’s value proposition was an important advancement for our profession. Yet, I believe internal auditing’s greatest opportunity to add value for its clients is only beginning to be realized. Today, we are just beginning to explore the potential of moving beyond both hindsight and insight — and positioning ourselves to provide foresight.
For internal auditors, foresight is the ability to contemplate key risks and challenges that our organizations could conceivably face, so that we can share those perspectives with management and the board. This way, we help our clients prepare for challenges or opportunities before they materialize. Foresight enables us to warn of pending disasters that may befall our organizations in the event management is ignoring strategic or business risks. For example, foresight might have saved Kodak, Blockbuster, or Lehman Brothers. Of course, management might choose to ignore the foresight that internal auditors provide. But at least the flag will have been waved.
It’s a safe bet that the “strong” internal auditor a few decades from now will be very different from the successful internal auditor working today. Indeed, the future will demand new and more-innovative services from our profession. Because the organizations we serve, and the world in which they operate, are in a constant state of transformation, internal audit must continue to enhance and expand its “portfolio of services” if it is to stay relevant.
This month, The IIA kicks off its 75th anniversary. Throughout the coming year, I will be reflecting on the progress we have made as a profession since 1941. I believe it is safe to say that the insight and foresight we provide today add more value to our organizations than the hindsight we provided seven decades ago. Looking back, we should probably have been looking ahead all along.