What 8 Years of Writing Blogs Has Taught Me About Internal Auditing

I have covered many topics relating to the day-to-day workings of internal auditing over the eight years that I have been writing this blog. The dynamic nature of business and the profession’s evolving role within the organization have made it relatively easy to keep the issues topical and fresh.

February 10^th marks the eighth anniversary of Chambers on the Profession. When I wrote that first blog, I had only been on the job as The IIA’s CEO for about four weeks. American and global economic uncertainty hung in the air like a stale fog. A sense of crisis and pessimism permeated the world in ways not seen since the onset of the Great Depression almost 70 years earlier. A new U.S. president had just been inaugurated, and the euphoria of his supporters stood in sharp contrast to the anxiety of his opponents.

Given the milestone, and the similarities between then and now, I decided to take a look back at those first few blog posts to see whether the challenges and opportunities facing the profession then are much different than those we face today. I’ve concluded the answer is yes — and no.

Clearly there have been major changes in business, regulatory, and other factors that drive the profession. Some of the most significant:

• The pace of emergin​g risks has added a new dynamic to internal auditing. I have written on numerous occasions that today’s practitioners must position themselves to audit at the speed of risk. Indeed, the future of internal auditing rests largely on adapting our skills and work practices to keep pace with the speed of risk.
• Cybersecurity is the paramount risk. Few developments have had the impact on risk management that the emergence of cyberattacks and related data breaches has. The fervor of cybercriminals and the financial and reputational damage they can create have put cybersecurity top of mind in every boardroom. Internal audit must play a crucial role in providing assurance on cyber risk mitigation, crisis management, and crisis communication strategies.
• Internal audit’s scope of work is rapidly expanding. More boards and audit committees are seeking internal audit services outside the traditional areas of financial reporting and compliance, especially in the area of operational risks and related controls. Additionally, internal audit’s advisory role is growing.  
• Data analytics, continuous auditing, and the Internet of Things. The pace of technological changes accelerates with every passing year. Technology offers internal auditors new tools and techniques as well as new risk challenges. Internal auditing must embrace technologies that will make the profession more efficient while alerting our organizations about the aspects of technology that create new risks.

These and other changes will require our profession to adapt and evolve, as it has successfully in the past. But even as change is swirling around us, there are certain issues that remain the same.

In 2009, I wrote about a roundtable discussion held at The IIA’s General Audit Management conference that resulted in a whitepaper titled, “A World in Economic Crisis: Key Themes for Refocusing Internal Audit Strategy.” It is telling how many of the recommendations from that report continue to resonate for internal auditors today.

In part, the report encouraged internal auditors to invest in their relationships with management, boards, audit committees, and other risk professionals within the organization. It also urged internal auditors to build their business acumen. The value of those recommendations is as clear today as it was​ in 2009.

I find it fascinating that the recommendations from that 2009 whitepaper are echoed in many of my blog posts from 2016. They are particularly prescient in light of two themes I will continue to write about in the coming months and years — the influence of corporate culture in governance and internal auditing’s role as a champion for good governance and effective compliance controls.

The common theme to the changes I mentioned earlier is that each has expanded stakeholder demands on internal auditing. Those things that remain unchanged — relationship building, communications, business acumen – provide the foundation for meeting those expanding demands.

It is encouraging and exciting that our stakeholders want more from internal audit. I believe it reflects their growing appreciation of the value internal audit brings to the organization. Meeting those growing demands will require that we work faster and smarter while protecting our objectivity and independence. Our profession faces significant risks should we fall short.

As always, I welcome your comments.