My interest is in the future because I am going to spend the rest of my life there.
Honestly Lay Bare - being the cutting edge commentator that it is, or at least likes to think that it is (never really sure!) - was recently asked by Deloitte to put pen to paper as to what were challenges facing internal audit.
Here are my ramblings.
**
I suspect that many of the responders will talk about the impact of the global financial crisis and the impending regulatory response thereto. They are important issues that we need to consider as internal auditors but I do not believe that they are the defining challenges.
In the same way that Enron gave rise to the era of SOX; the global financial crisis will give rise to another era.
But they are just that – eras.
They are not fundamental shifts in what internal audit is and what it is to be an internal auditor.
I am going to go out on a limb and raise three areas that will forever impact the perception of internal audit within the organisations that they are designed to serve and as such are issues that will have the greatest importance to our relevance, differentiation and longevity.
Internal Audit as a Profession
If you are a doctor and you are either grossly incompetent or posses an ethically challenged character, processes exist in most countries for such persons to be removed from the practice of medicine.
Similarly with the law, accounting and engineering.
If you a sales person and you suggest that your service offering is something that it isn’t, there are mechanisms in most developed jurisdictions for those aggrieved to be compensated for the false and misleading promotions.
Internal Audit does not have a regime that forcibly quarantines the professional incompetent.
Internal Audit does not remove from its ranks those that take advantage of others or situations.
Internal Audit rarely has a mechanism by which an aggrieved person can raise their concerns about the quality of the work provided to them by the internal auditor outside of the internal governance frameworks of the organisation.
Until such time as Internal Audit has a publicly convened, rule based, punitive disciplinary environment – a fundamental element of the existence of a profession – that transparently addresses the deficiencies within our population, we will never be properly seen as a profession.
As such will never be afforded the respect that the medical, law, accounting and engineering professions demand.
Nor will we ever be in a position where those that are less morally suitable for the practice of Internal Audit are removed, and penalised, where appropriate.
Internal Audit’s standing within the community and within the organisations she is mandated to serve will be accordingly compromised.
Full Data Testing
If there is one aspect of the current practice of internal auditing that I suspect we will – in the not too distant future – look back on and reminisce about the ghosts of audit procedures past, it is the concept of data population sampling.
We already have full data sets.
We already have the means to test full data sets.
What we don’t have is the understanding of auditors and auditees as to the inherent failings of sampling and, to date, we have allowed ourselves to be convinced that full data population testing is expensive and no more representative than sampling.
If Internal Audit is to be seen as the pre-eminent independent assurance provider we need to remove from our work any caveats as to depth of testing.
At present our work is only ever as good as the sample chosen.
Impact of Collaborative and Social Medias
The biggest change is probably the one paradigm shift that even society itself is struggling to comes to terms with.
I have never been more certain of a reform that will come to Internal Audit than I am of the changes that collaborative and social medias will visit upon Internal Audit.
We are just about to enter into something called Internal Audit; but it won’t be Internal Audit as we know it.
The mantra of so many Internal Audit departments for many years has been that they are business partners – yet they interacted with their ‘clients’ in a static and rigid communication framework.
Collaborative mediums such as wikis have the potential to incorporate the auditee, fully, in every aspect of the audit execution cycle.
We will no longer present a draft report to the auditee as their first point of ability to express an opinion – agreeable or not – on the work performed to date.
Why not use such collaborative tools to identify, manage and provide assurance over the risks and for all the risk stakeholders to have full and ongoing interaction, accountability and ownership of a successful outcome.
Internal Audit is mandated to assist organisations to improve their internal control environment.
Never has there been a good internal control environment that has poor communication frameworks between the respective constituents.
What has, however, been missing until now is the ability to bring together individuals of a similar mind, irrespective of their job description, to most effectively manage and better an internal control environment.
By bringing together like minded souls irrespective of job grade, geography, experience – what one is describing is the business model for successful social media.
This is where the role of Internal Audit fundamentally changes – we should be seeking to facilitate the founding and collaboration of those similarly disposed diasporas as a means to improving the organisation’s internal control environment.
The ex post facto elements of our assurance work will become secondary to what will emerge as our new role – that of the corporation’s tour guide.
**
As I said at the outset, I suspect others may identify more immediate and – in their minds – more pressing concerns around audit coverage and budgetary constraints.
Those issues are indeed important but we should never lose sight of the revolutions that are coming for they are the greater challenges that Internal Audit is about to face.
As the saying goes – show me someone who doesn’t dream about the future and I’ll show you someone who doesn’t know where they are going!
2 comments:
Full Data Testing - Are you talking across the board or mainly in financial audits? I don't see how full data testing is cost-effective in many IT and operational audits.
For example, in IT, how do you audit that 10,000 new users a year have appropriate approval and access? That would require automated approvals and access in a format that can be easily imported into ACL or similar software. Too many companies still have many manual controls and systems that don't talk to each other.
I think it's the same with operational audits. Want to be a little more specific?
I will agree with you that ACL and the like make more full data audits possible, but few companies do it. I think in the end, few companies see value in full data audits. Too many companies just want to check the box and move on, which drives cost-effectiveness even in the most diligent organizations.
If you're talking about continuous monitoring or auditing, the expense is usually so high that it can't be justified.
Tom
I am glad I found your blog - some great insights and your are obviously passionate about your profession.
I absolutely agree with your comments in this post - particularly the industry governance and total data set comments.
For fraud related data analytic work, we have been using complete data sets for years with sensational results and for the life of me - I dont get why auditors have been so slow on the uptake - sample based methodologies are inherently flawed and a throwback to days when we had staffing limitations. The degree of assurance provided when reviewing an entire data set is so much greater than a sample based set.
I will enjoy going through your older posts as well.
Regards
Andrew Morgan
Post a Comment