Brace for Change, Internal Audit
The Institute of Internal Auditors is holding its annual global conference this week in Washington, D.C., which of course means publication of a long, ponderous study about the current and future state of the profession. This study’s findings, however, point to some deeper truths about the internal audit profession that merit attention. Let’s take a look.
The study, breathlessly titled “Internal Audit: Vision 2035,” is based on a year’s worth of polling and interviews with more than 7,000 internal audit professionals around the world. The IIA wanted to know how the internal audit function is perceived today, and what the internal audit function will need to be able to do by 2035 if internal audit teams still want to be relevant by that time.
Some of the study’s findings are rather obvious, such as:
- Innovation and technology trump all: 92 percent of respondents agree that new technology is key to helping internal audit add more value.
- Upskilling will be crucial for career success: 96 percent agree that experienced internal auditors will need to increase their technology skills to remain relevant; 81 percent say that entry level internal auditors will require an elevated skill set to be successful.
- People see internal audit as compliance buzzkills, not risk analysts: 54 percent say internal audit is seen as “compliance-focused” in their organizations, and 48 percent also say internal audit is viewed as the company’s “police.”
None of the above findings should surprise any internal auditor who’s been paying attention. Within them, however, is that deeper truth about what internal audit will need to do to remain a useful, important function in years to come.
Internal audit teams will need to master new technologies so that they can become true risk advisers to the business, in addition to their role as the guardians of internal control.
A Time for Transformation
I can already hear certain internal audit professionals fulminating over that last paragraph. “We’re not an in-house risk advisory service!” they say. “We only analyze and offer opinions on the effectiveness of risk management systems! And we’re not the ‘guardians of internal control’ either; we just test internal controls for effectiveness! Stuff it, Kelly!”
Stuff yourselves, purists. I stand my ground on both points.
Let’s take the latter point first: that internal audit teams are the guardians of internal control. This fact of life traces back to passage of the Sarbanes-Oxley Act more than 20 years ago. Corporate boards were suddenly responsible for the accuracy and reliability of the company’s financial statements, and they needed some inside team to improve internal control so board directors wouldn’t be sued (or worse, face criminal charges), and internal audit became that inside team.
So it has been ever since, and even today most internal audit teams spend a majority of their time testing and documenting SOX controls. Those teams do want to shed the drudgery of SOX compliance work, but doing so requires better technology, investment in a strong audit function, and a larger vision for what internal audit can do for the enterprise. All three can be a tough sell to the management team.
Now let’s get to a few other findings from the IIA survey:
- A shift to advising on risk: Survey respondents expect the time they spend on assurance to drop from 76 percent today to 59 percent by 2035; while time spent on risk advisory work will rise from 24 percent to 41 percent.
- Enthusiasm for adding value: 75 percent of the respondents find that the chance to add value is the most exciting aspect of the profession.
- A need for more executive support: Half of respondents said being misunderstood or undervalued is the greatest challenge for the profession. Forty-five percent indicated a need for more support from leadership and stakeholders.
Those three findings all drive at my first point, that internal audit must become more of an adviser on risk to the business. Clearly internal audit professionals know that’s the way of the future (first bullet point above); and apparently they also want to embrace that future because they want to be more valuable to the business (second bullet point above). Just look at Figure 1, below, showing how much more advisory work internal audit teams want to do.
Moreover, embracing a greater role in risk advisory work is how you secure more support from senior leadership (third bullet point).
How Change Must Happen
Look at the larger arc for the internal audit profession. Teams are shackled to SOX compliance work, which gives rise to their reputation as compliance focused. Management teams will never outright crap on internal audit for doing that work; SOX compliance is important, after all — but nobody likes doing it, so management enthusiasm remains lukewarm and your technology decent enough, but rarely whiz-bang.
What needs to happen next is this. Internal audit picks up the mantle of more risk advisory work, helping management and board to understand (and avoid) emergent risks in artificial intelligence, climate change, cybersecurity, supply chain operations, and the like. Internal audit also helps to streamline and automate existing business processes, to seal up opportunity for fraud or compliance violations.
A role like that wins the management enthusiasm you need. It also gives chief audit executives an easier argument for more investment, particularly in new technology. It lets you tackle more interesting projects, which is how internal audit leaders keep the talent pipeline full with early-career internal auditors.
Exactly how is that going to happen between now and 2035? I’m not sure; send me your suggestions at [email protected]. But there is no way this transformation does not happen, unless internal audit wants to stay cooped up in SOX compliance world with occasional side jobs on efficiency audits.
Whither Internal Audit Independence?
The independence of the internal audit team — a sacred totem in this profession, and for good reason — could be a difficult ford to cross.
The good news is that 53 percent of IIA survey respondents say their organizations do understand why it’s important for internal audit to remain independent. (See Figure 2.) But as a practical matter, if internal audit starts doing more risk advisory work, that will lead to personnel arrangements where oversight of internal audit and enterprise risk management roll up into one person.
I do already see that in my daily scouring of LinkedIn posts: a chief audit executive promoted to “senior VP of audit and risk management” or something like that. It happens across industries, although I haven’t done enough research to notice whether it’s happening at companies of a certain size or organizational maturity. Again, if you have observations or thoughts on this trend, let me know.
My question is how chief audit executives will maintain sufficient independence during this transformation. The more directly you work with management, and for management, the more susceptible you are to pressure from management. Plus, how can chief audit executives also stay true to their roots as advisers to the board’s audit committee, while working more closely with management on risk management efforts?
We can explore those questions another time in further posts, but audit professionals should keep their eye on the far target. This profession is only going to mature in one direction, and the IIA’s latest captures that evolution smartly.