If internal audit is to remain relevant, it needs to move beyond the services currently performed to provide assurance to the main stakeholders.
Earlier this year, I wrote about PwC’s 2013 State of the Internal Audit Profession.
Protiviti has added insights through their 2013 Internal Audit Capabilities and Needs Survey, which identified these areas as needing improved understanding:
- Social media risks
- IIA Standards on functional reporting (1110) and providing opinions on individual audits (2010 and 2410)
- IIA guidance (GTAG 16) on the use of data analytics, the standard on providing overall opinions (2450), and risks associated with cloud computing
- The IIA’s GAIT Methodology, guidance (GTAG 13) on fraud, the ISO standard (27000) on information security, and the upcoming updated COSO Internal Control -- Integrated Framework
- IIA guidance on assessing risk management, on auditing IT vulnerabilities (GTAG 6), and fraud risk management.
These are all important and Protiviti’s survey is a valuable read for CAEs and their mentors on audit committees.
An Alternative Path
While I like and respect both PwC’s and Protiviti’s views, I suggest a different path forward.
- Recognize that the role of internal audit is not just to perform audits. It is to provide assurance to the stakeholders, primarily the board (or audit committee of the board) and top management.
- Assurance should be in the form of an annual, formal statement of professional opinion.
- The statement should reflect that it is the professional opinion of the CAE, based on the engagements (both assurance and consulting) and other activities (such as participation in committees, conversations with management, etc.) conducted during the period.
- The opinion should be whether the systems of governance, risk management and the related internal controls provide a reasonable level of assurance that the more significant risks to the achievement of the organization’s goals and objectives are managed at acceptable levels.
- Recognize that consulting activities that are designed to add value are a secondary role for internal audit; they should not interfere with the primary assurance role by, for example, limiting the resources available for assurance on significant risks.
- As appropriate, discuss the form and timing of the opinion with the chair of the audit committee, top management and general counsel. Explain the value of the assurance, why it is consistent with the IIA’s definition of internal auditing, and any implications on projects that matter to them.
- Establish a vision for internal audit that has as its primary product an opinion as outlined above. Understand that the audit plan has to identify the engagements required to support such an opinion. The audit plan should be based on a risk assessment process (where possible, leveraging management’s risk management program) that identifies the more significant risks to the organization’s goals and objectives -- the risks that matter.
- Build a risk assessment process that is continuous, so that the audit plan always includes projects to address the risks that matter in an environment where risks change constantly.
- Ensure that the internal audit function has the staffing required to address the risks that matter; this will probably require some level of co-sourcing to add expertise in certain topics.
- Ensure that the audit committee understands the risks that internal audit has the resources to include in the audit plan -- and therefore in the audit opinion -- and which will not be addressed.
- Communicate the new approach to all affected stakeholders and obtain the engagement and support of the internal audit team.
- Deliver on the vision.
I realize that while there is a growing number of internal audit departments that provide overall opinions, this remains a minority. However, if internal audit is to realize the vision expressed in the 1999 IIA definition of internal auditing and be relevant in a world of rapid change and turbulent risk, I strongly believe it is the one path forward to excellence.
I welcome your comments.
Editor's Note: Norman knows his risk management. To read more, see Why I Worry About Uncertainty First, Then About Risk