In the early days of my career, I was given the opportunity to lead an entrance conference to kick off an audit. It was on that day that I met my first U.S. Air Force general. After I enthusiastically went through my slides, the general said to me, “Do you know who you auditors are? You’re the ones who come in after the battle to bayonet the wounded.” As a young auditor, I felt crushed. I did not see my profession or myself that way. I was truly there to help improve things. Now, after having been an internal auditor for more than 23 years, I look back and think that the general may have gotten it, partially, right.
Traditional audits tend to be retrospective. Internal auditors come in six months or a year after a project (battle) has ended — after the tough decisions have been made and the hard work completed — and second-guess (bayonet) management (the walking wounded) all with the benefit of 20/20 hindsight. Aside from the resentment and distrust this breeds with management, we need to ask ourselves whether retrospective auditing really improves our organizations.
Internal audit needs to shift from a retrospective audit/compliance focus to proactively assessing emerging risks to remain relevant and provide value to our organizations. Although retrospective auditing has an important role in helping ensure that controls are working, some of the biggest threats to our organizations are those we have not seen before or are very complicated and push us out of our comfort zones. When we limit ourselves to retrospective, compliance-based audits, we underestimate the value we could provide our organizations. Moreover, with risks increasingly associated with large, customer-facing system implementations, complex regulatory environments, and cybersecurity, we are ignoring the most significant risks our organizations face.
It is in our nature as internal auditors to want to ensure that what we audit is in compliance with applicable rules and regulations. However, we need to avoid the trap of blindly enforcing flawed rules. We need to ask whether the rule makes sense.
The 2008 mortgage crisis serves as a compelling example of “compliance myopia.” Using a compliance-based checklist, even the most byzantine of mortgage products that were available in 2008 would likely have passed an audit or regulatory review of the loan package. The form was correctly filled out for the sub-prime loan — check! However, the checklist did not have a box that asked whether this was a seriously flawed loan product that would ultimately pose an existential threat to those companies offering it.
This is not to say auditors should stop enforcing regulatory requirements or other rules. We should use our role as a bully pulpit to get tragically flawed rules corrected and not wait until our organization — or global economy — is brought to the brink of disaster. Internal audit needs to move from a pure compliance focus to a strategic, risk-based focus.
No organization has ever gone out of business because it failed a timecard audit — but what about a major cyber hack and loss of intellectual property, a database breach that compromises customers’ personally identifiable information (PII), or a multimillion-dollar system implementation failure? Yet, in The IIA’s 2015 Pulse of Internal Audit survey, only 6 percent of respondents indicate they included assessing strategic business risk in their audit plans. If we wait until six months or a year after strategic risks have occurred, it may be too late for audit, because our organization may no longer exist. We need to get ahead of these risks, identify vulnerabilities, and make recommendations to address them before they are exploited.
So what is stopping us? We are. Internal auditors fail to create timely, proactive, risk-centric, service-oriented audits by misinterpreting independence and lacking strong relationships with management and the audit committee.
Maintaining our independence is crucial if we are to provide unbiased recommendations. Although we should never make management decisions, this does not prevent us from providing proactive, risk-based recommendations. Consider the example of most major system implementations. They can be very costly (e.g., system integrators, software, and hardware), customer-facing, pose security risks if not correctly configured, and damage our organization’s reputation and credibility if not correctly deployed. We don’t have to wait until after the system has been deployed to assess whether 1) the project team has mapped the system design to regulatory and functional requirements; 2) basic project management practices are in place and include provisions for robust testing; 3) contract terms are being met; 4) internal controls have been considered; and 5) people who will handle PII have undergone background checks. These are the activities that auditors do well, and they do not violate our independence. Waiting until after the project crashes to swoop in and do an audit has limited value, contributes to escalating project costs, and damages internal audit’s credibility.
Even if we can all agree that proactive, risk-based auditing does not affect our independence, we may not have the kind of relationship with management and with our audit committee that they would welcome our involvement. Building the right relationships requires consistent and high-quality products; candid, professional, and frequent meetings; and a highly trained and diversely skilled staff. Unless we work at developing relationships with key stakeholders, they will not trust us enough to invite us in while they are trying to meet deadlines and make decisions with imperfect data. The objective is for management to see the internal auditor as a proactive risk adviser who will provide added assurance that management has considered a wider variety of risks than they would have alone.
When we start adding the largest threats to our audit plan, it can feel a bit overwhelming. The trick is prioritization. Auditors should talk with management, the board, and the audit committee and develop a collective understanding of the risks the organization faces. This will provide a basis to prioritize resources and audit those things that present the highest level of risk. If that leads to an area not addressed before, such as cybersecurity, the auditor will have to make a “build vs. buy” decision. Does the CAE have the requisite skills on staff that, with some training, will be able to use available industry best practices to assess cyber vulnerabilities? If not, the CAE will have to buy those skills by hiring outside resources. Although contracted resources can initially be expensive, avoiding existential risks, like cybersecurity, is not an option. For starters, the CAE should build into contracts the requirement that the outside experts train the audit staff. The goal should be to cultivate those skills within the audit organization so that there is a sustainable model to address these risks in the future.
The Bottom Line: Internal auditors are positioned to see across an organization, to understand overarching risks. Unlike external auditors, we have the benefit of understanding the corporate culture and internal business practices. Internal audit needs to step up and be the proactive risk adviser that our organizations desperately need. By being proactive and looking at issues of strategic importance, auditors can strengthen the organization and help navigate the risks in an increasingly complex and dangerous world.