Internal auditing, like the organizations it serves, is never dull. Practitioners are affected by the changing activities of their clients, but also by events in the broader business world. In this century alone, so far, numerous events have had a significant impact on the profession. Should we have seen these coming? What caused them? How do we learn from them going forward?
Four events, in particular, shifted the profession in one form or another. Each has had a considerable influence on internal auditing as it’s practiced today, and has helped define the role of today’s auditor.
1. Flagrant Financial Reporting Fraud
Financial reporting fraud has most likely been present since the beginning of financial reporting itself. But the extent and audaciousness of the reporting frauds at the start of the 21st century were unprecedented. While Fortune magazine named Enron “America’s most innovative company” for six years, little did anyone know that its greatest innovation may actually have been dreaming up new ways to deceive auditors and investors. And Enron was not alone as we consider WorldCom, Tyco, and others.
The biggest impact on internal auditing as a result of these scandals was probably the U.S. Sarbanes-Oxley Act of 2002 — particularly Section 404, which focuses on internal controls over financial reporting. A problem companies and external audit firms faced was that many employees lacked internal control expertise. Company personnel had for years been working to squeeze costs out of routine processes, and external audit firms had shifted away from detailed testing of processes. I recall a conversation I had with a Big Four audit partner in 2003 who told me that in his firm only the “old timers” like us — we were in our mid-40s at the time — knew anything about testing internal controls. Most companies looked to their internal auditors to help them understand controls and comply with the new law. We all learned that while financial reporting was supposedly mature, internal auditors cannot ignore a risk area just because we have become comfortable with it.
2. Financial Markets Meltdown
What does one do when banks that are “too big to fail” look like they are going to collapse under the weight of toxic loans and market illiquidity? I recall a conversation with a Fortune 50 chief financial officer in 2008 who said that a government bailout was needed, as liquidity in the banking system is like blood in the human body — when it is missing, nothing works and a transfusion is required. I am neither a banker nor a medical doctor, but these events taught us all a lot about risk. While enterprise risk management (ERM) was birthed before the financial market meltdown, ERM’s lack of maturity became painfully evident during this period.
Financial institutions that were revered for their ERM expertise were the same ones that apparently didn’t fully understand risk or see concentrations of risk. Many internal auditors who had been trained to audit internal controls over financial reporting were now asked to roll up their shirt sleeves to help implement or improve ERM processes.
One outgrowth of the increased attention to ERM was further development of the Three Lines of Defense governance model. This model helped outline the role of internal audit versus line management and others like ERM functions. The “best” role for internal audit in ERM has not been agreed upon, nor probably will it ever be, given the differences among organizations. But it is clear that internal auditing needs to live and breathe risk.
A newer issue for virtually every organization is cybersecurity risk. What started as seemingly isolated attacks on companies for specific purposes has grown into a generalized concern over security of all electronic data. Today, it would be difficult to find a board of directors that doesn’t have cybersecurity on its agenda.
Internal auditors were often caught unprepared for this risk. For decades, many audit functions have struggled to find enough qualified IT auditors. With cybersecurity risk, that task is even more difficult. I recall meeting a cosourced team of penetration-testing auditors and wondered whether any of them had graduated from high school yet. The technology is new, and the way it is implemented relies on methods that didn’t exist at the beginning of the 21st century.
4. Bribery and Corruption
Bribery and corruption have been part of human history for about as far back as records exist. The U.S. Foreign Corrupt Practices Act (FCPA) was passed into law in 1977 to help combat fraud of this nature. But what has changed recently? Attention and focus. Many countries have passed new laws addressing bribery — some stronger than the FCPA, like the U.K.’s Bribery Act 2010. Every company of reasonable size faces risk not only of bribery perpetrated by its employees, but also of violating strict laws that are strongly enforced.
Perhaps the most glaring example of bribery occurred at German industrial group Siemens, where it was reported that processes organized to implement bribery payments were quite mature. But any observers who think the risk only involves large organizations would be fooling themselves. All it takes is one person with access to cash for bribery to become a risk.
Learning From the Past
While it is interesting to look back on the events that have shaped internal auditing, practitioners must ask themselves what they should learn from these events moving forward. A few key messages stand out:
- Human behavior is always a risk. Each of the aforementioned events resulted from people making the wrong decisions, often for the wrong reasons.
- The world of potential risks we might face is enormous. No matter how good our risk assessments may be, we will not always be able to anticipate the next big event.
- While new risks regularly come into view, the old ones never seem to go away completely.
So what should an internal auditor, specifically, take away from this retrospective look? We must stay true to what makes us indispensable to our respective organizations. Audit departments should assemble the best talent they possibly can, stay focused on risk, keep watching for what is happening inside and outside the organization, and challenge themselves to ever increasing levels of performance. Any less would be a disservice to our organizations.