For at least the past decade, internal auditing has been in a state of growth and progressive change. And while it has evolved and advanced significantly, many practitioners nonetheless remain bound by some fundamental, confining paradigms. These paradigms include:
- Internal auditors plan, execute, and report results of point-in-time audits.
- Internal auditors assess internal controls and report opinions on whether they believe controls are effective.
- Internal auditors report what they believe to be control deficiencies, material weaknesses, significant deficiencies, or opportunities for improvement.
- Direct-report auditing is the primary approach used globally. In a direct-report engagement, the auditor evaluates the subject matter for which the accountable party is responsible. The accountable party does not make a written assertion on the subject matter.
- The profession has been primarily supply-driven rather than demand-driven, as boards and C-suites have often not specified their assurance needs — leaving internal audit departments to form their own views regarding which objectives/topics to focus on.
- Internal audit often does not know, or require that management and boards define, the type and amounts of residual risk the company and its board are prepared to accept.
- Many internal audit departments have not assessed and reported on risks to the organization’s top strategic/value-creation objectives, or the effectiveness of its overall risk management framework. According to Enhancing Value Through Collaboration, an IIA Pulse of the Profession report, internal auditors surveyed dedicated a mere 8 percent of resources to their company’s strategic objectives in 2014.
The profession’s long-established practices have generally been viewed as adequate — even good to excellent — but their relevance to today’s stakeholders has begun to diminish. A shifting governance landscape places the profession’s traditional methods in jeopardy and points to the need for radical change. As stakeholder expectations evolve, internal audit must revisit existing paradigms and rapidly adjust to maintain its relevance.
Key developments over the last several years have significant implications for boards, senior management, and, in particular, internal auditing. The changes they’ve brought span across industries and geographical boundaries, and are far-reaching in scope.
Increased Board Risk Responsibility Following the 2008 global financial crisis, commissions were convened around the world to help understand what had gone wrong and prevent destabilizing events in the future. From these efforts, consensus emerged that boards and, to a lesser degree, regulators, had not adequately discharged their duty to oversee what is increasingly being called management’s “risk appetite and tolerance.” Consequently, board responsibility for overseeing management’s risk appetite and tolerance has risen significantly.
Creation of the Financial Stability Board Shortly after the onset of the global financial crisis, the Group of Twenty, an assembly of representatives from the world’s largest economies, created a new international regulatory advisory body — the Financial Stability Board (FSB). The board currently includes government officials and financial sector and securities regulators from around the world. With unprecedented speed, it has formulated and disseminated paradigm-shift guidance that could effectively spur the reengineering of corporate governance globally.
|FSB's Guidance for Internal Audit|
In its Principles for an Effective Risk Appetite Framework, the Financial Stability Board proposes specific responsibilities for internal audit and other independent assessors. The framework states that internal audit should:
- Routinely include assessments of the risk assessment framework (RAF) on an institutionwide basis as well as on an individual business line and legal entity basis.
- Identify whether breaches in risk limits are being appropriately identified, escalated, and reported, and report on the implementation of the RAF to the board and senior management as appropriate.
- Independently assess the design and effectiveness of the RAF periodically, as well as its alignment with supervisory expectations.
- Assess the effectiveness of the implementation of the RAF, including linkage to organizational culture, as well as strategic and business planning, compensation, and decision-making processes.
- Assess the design and effectiveness of risk measurement techniques and [management information systems] used to monitor the institution’s risk profile in relation to its risk appetite.
- Report any material deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management timely.
- Evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.
Among the FSB’s most significant contributions to date is a November 2013 guide for national regulators, companies, and auditors titled Principles for an Effective Risk Appetite Framework. The guide’s authors define new and bold proposals for management, boards, and internal auditors. Details of the role proposed for internal auditors are shown in “FSB’s Guidance for Internal Audit” at right. In essence, the FSB calls on practitioners to transition from providing point-in-time, direct-report, subjective opinions on control effectiveness for a small percentage of an entity’s risk universe to reporting on the reliability and effectiveness of an organization’s entire risk appetite framework. The scope of reporting would include the reliability of enterprise risk status reports provided to the board by senior management. Although the FSB framework was aimed primarily at the financial services industry, the core concepts it promotes are relevant to all sectors.
Adoption of FSB Guidance Regulators around the world have started to enact regulations that reflect key FSB recommendations — particularly the need to assign primary responsibility for risk management and reporting to management; and risk appetite and tolerance oversight to boards. The revised U.K. Corporate Governance Code, issued in September 2014, provides one of the most notable illustrations of this activity. It positions responsibility for risk oversight squarely with boards of directors; calls on management to design, implement, and maintain effective risk governance frameworks; and asks boards to seek independent assurance that management has designed, implemented, and maintained effective risk governance frameworks. Other countries that want to improve the integrity of their capital markets are expected to follow the U.K.’s lead.
Reduced Audit Client Satisfaction As these regulator-driven developments gain traction globally, PricewaterhouseCoopers’ 2014 State of the Internal Audit Profession Study paints a picture of a significant decline in board and senior management satisfaction with traditional, direct-report internal audit services. One of the report’s most disturbing findings is that half of senior management and nearly 28 percent of board members say internal auditing adds less than “significant value” to their organization. Moreover, only 49 percent of senior management and 64 percent of board members say internal auditing is delivering on expectations.
Implications for Internal Auditing
The changes described are causing regulators, boards, and senior executives to reconsider and reshape what they want and expect from internal audit. What once constituted fine, even laudable deliverables from internal audit in the minds of many boards, C-level executives, and regulators is being reshaped by increasing expectations that internal audit play a key role in helping boards demonstrably oversee management’s risk appetite and tolerance.
Risk Reporting The FSB has defined roles for the board, senior management, and internal audit that call for a fundamental accountability shift — a shift that would require management to continuously assess and report upward on risk status. Moreover, it would require internal audit to help management build and maintain systems for this purpose, as well as assess and report opinions to the board on how well management is discharging its assigned risk governance responsibilities. This new paradigm requires fundamental shifts in existing internal audit educational resources. The IIA modified its Performance Standard 2120: Risk Management in 2010 specifically to provide support for the shift, and in 2012 it also began offering the Certification in Risk Management Assurance designation globally.
Internal audit departments that aren’t doing so already need to evolve beyond the business of performing traditional, point-in-time, direct-report audits and providing subjective opinions on “control effectiveness” for a small percentage of their organization’s total risk universe. Instead, they need to focus substantially more resources on providing assurance to boards that senior management is creating and maintaining what is increasingly being referred to as an effective risk appetite framework.
Educating the Board Regulatory, director, senior management, and common law expectations are likely to evolve at varying speeds and intensity in different countries. Not all senior management and board members have been actively following the evolution of these expectations, and not all national regulators — including the U.S. Securities and Exchange Commission — have codified risk governance expectations with the clarity and simplicity of the 2014 U.K. Corporate Governance Code to spur the needed transition. Moreover, not all CEOs and chief financial officers are likely to welcome direct responsibility for creating and maintaining effective risk appetite frameworks and providing formal and candid reports on enterprise residual/retained risk status to their boards — especially those outside the financial services industry, on which the FSB framework is focused.
Some CEOs may be particularly upset with the FSB recommendation that internal audit report to boards on the reliability of the organization’s risk appetite frameworks and, especially, CEO/senior management reports to the board on enterprise risk status. Nonetheless, internal audit needs to ensure boards and senior management are aware of these developments and the global push to hold boards and the C-suite more accountable for overseeing management’s risk appetite/tolerance.
New Competencies If internal auditors are to assume the type of responsibilities defined by the FSB, the Financial Reporting Council, and other national regulators that elect to follow the U.K.’s lead, they must retool their knowledge and skills. Instead of emphasizing opinions on control effectiveness, internal auditors must be able to assess and report on the reliability of management’s risk appetite framework, including CEO/management reports to the board on enterprise retained/residual risk status. Making this transition involves learning the type of vocabulary defined by the FSB in its Principles for an Effective Risk Appetite Framework guidance and the International Organization for Standardization’s ISO 31000 and ISO Guide 73.
Internal auditors should also monitor closely the enterprise risk management framework update currently under development by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), scheduled for completion in late 2016. One of COSO’s stated reasons for the update is to respond to escalating risk governance reporting requirements.
Auditors will also need to gain the knowledge and skills required to identify the organization’s full range of risks and risk treatments linked to key objectives, and obtain a picture of residual risk status — as opposed to the much narrower assessment of traditional internal controls dimension on which internal audit has historically focused. More importantly, internal auditors need to continuously assess and report on whether the current residual risk status related to key strategic and foundational objectives is currently within the board and senior management’s risk appetite and tolerance — assuming internal audit has been provided with enough information from the board and C-suite to take on this task. Internal audit can also play a key role in alerting boards to risk acceptance situations that warrant active discussion with senior management and the board.
The Need for Change
Quantum change in the current internal audit paradigm will be needed to address shifting client and regulatory demands. And while human nature is to resist radical change in favor of smaller, more incremental steps, meeting these demands will require internal audit to adapt quickly. The well-known adage “necessity is the mother of invention” applies well to current circumstances: The internal audit profession needs to reinvent itself to satisfy key customers — particularly board members. Change of this magnitude constitutes no small task to be sure, but it’s imperative for ensuring the future of the profession.