Richard Chambers became the ninth president of The IIA in January 2009 during the onset of the global economic crisis. It was a time when companies were experiencing a major loss in shareholder confidence due to colossal risk management failures and a lack of corporate accountability. These dark times revealed vast new opportunities for internal audit to help protect organizations and enhance their performance.
Chambers says internal auditors grasped those opportunities by pivoting swiftly to focus on the emerging risks brought on by the financial crisis and the impact these risks were having on their organizations. The profession became much more risk-centric in those early years of the prolonged financial downturn. The result? Internal audit solidified the stature that it had earned in the prior decade and became a critical component of the systems of risk management and internal controls in modern organizations. “The past decade has been about proving that the confidence that was conveyed to us in the early 2000s was deserved,” Chambers says. “This decade, I think we’ve earned that trust even more.”
On the eve of Chambers’ 10th anniversary with The IIA, we sat down to discuss how the internal audit profession was impacted by the financial crisis, how it responded, and how it has evolved.
INTERNAL AUDITOR You became The IIA’s CEO during the greatest economic upheaval since the Great Depression. How was that crisis impacting internal audit?
▣ ▣ RICHARD CHAMBERS Having been in this profession over 30 years at that point — whether it was my time in government or in the corporate sector — my experience had been that whenever organizations’ resources were severely impacted, it would translate into an even more drastic impact on internal audit. Historically, I had witnessed internal audit departments being divested at a much higher rate than the organization as a whole as executives sought to trim costs.
I was anticipating that scenario at the end of 2008, but I was pleasantly surprised as the next couple of years unfolded and internal audit was not disproportionately downsized in most organizations. In fact, reductions in the profession at that time were similar to what organizations were experiencing overall as a result of the financial crisis.
Why was it different this time?
▣ ▣ Internal audit’s resilience appeared to be a reflection of the stature the profession had gained in the previous decade. One difference between this recession and the recession of the early 2000s and those that came before, was there had been a sea change in internal audit’s positioning within the governance structure. Following the financial reporting scandals of the early 2000s that involved Enron, WorldCom, and others, we saw legislation and regulations implemented that fostered a stronger emphasis on controls — particularly financial reporting controls. As a result, internal audit was ushered from the back room to the boardroom where it developed a stronger relationship with the audit committee.
Was internal auditing being redefined?
▣ ▣ We didn’t redefine ourselves; we started living our definition. In the early 2000s, internal audit became much more risk-centric. If you think about it, there was not even a standard that required internal audit to do a risk assessment as part of its audit planning process until 2002. So, we had only a short time between the onset of the standards mandating a risk assessment and the beginning of the financial crisis to get a full appreciation of what being risk-centric meant.
With the onset of the financial crisis in 2008, suddenly there were countless new risks facing our organizations. The crisis had exposed the ineffectiveness of risk management, itself, as a critical risk. There was a notable spike in operational risks as companies were compelled to achieve greater operational efficiency and effectiveness. And almost half of chief audit executives (CAEs) reported increased coverage in cost reduction and containment in 2008 and 2009. We started to see risks around technology, cybersecurity, culture, social media, and so on. And compliance risks became critical — particularly as we saw legislative provisions such as those in the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act make their way into regulation.
So in the wake of the financial crisis, there was a radical and rapid rebalancing of internal audit’s focus. It reprioritized and emphasized a broader portfolio of risks. Internal audit was living up to its definition of being risk-based.
Was internal audit’s response to the financial crisis appropriate?
▣ ▣ It’s hard to argue with the success internal audit achieved at the time. It was an unprecedented time for the profession. While we were busy rolling up our sleeves to help our organizations respond to the emerging financial crisis-related risks, there were already those asking, “Where were the internal auditors, and why weren’t they looking at risk management in financial services organizations?” And my answer was, there wasn’t a lot of emphasis by internal audit on the effectiveness of risk management before 2008 because we were being asked to fight the last war by focusing on internal controls over financial reporting. Very few people were focused on the effectiveness of risk management in financial services — including those management and board members who were actually responsible for risk management. The emphasis was to ensure there were no more Enrons and WorldComs. When you’re busy looking behind, you miss what lies ahead.
Are there areas in which the internal audit profession has fallen short?
▣ ▣ As a profession, we’re still not demonstrating some of the attributes of great professions. For example, I don’t see the level of conformance to the International Standards for the Professional Practice of Internal Auditing that we should be witnessing. I chaired the Internal Audit Standards Board in 2002 when we adopted the first standards that required external quality assessments. If you told me in 2002 that I’d be sitting here in 2019 saying that we still have such limited conformance, I would not have believed it.
When I say there’s nonconformance, I don’t mean to imply that no one is paying attention to the Standards. I’m talking about conformance with the full set of Standards. There is definitely widespread adherence to parts of the Standards around the world. There’s a much higher degree of conformance in large, publicly traded companies in North America and Europe than in other types of companies or organizations in other markets. But is conformance where it should be? Absolutely not.
Additionally, I would have thought there would be greater recognition of our Standards around the world. The IIA’s Standards are widely acknowledged within the profession, but they’re not necessarily widely recognized by others, such as regulatory bodies, relying on internal audit’s work. I continually deliver this message to global regulatory bodies: “There is only one set of global internal audit standards in the world. Why aren’t you promoting them?”
Are there other areas in which internal audit could improve?
▣ ▣ I’m concerned that the profession is not as assertive as it should be in speaking out. There’s a certain comfort level that says, “Nobody is pushing me to do this; therefore, I’m going to stay the course.” And when you take that approach, you leave your organization vulnerable to value-destructive calamities or scandals. For example, internal auditors are reluctant to tackle sensitive topics such as corporate culture, executive compensation, or management of risks associated with sexual harassment policies in their organizations. As a result, these are risks that seem to routinely get companies in trouble.
Too often, a courage deficit exists. Internal audit has to be courageous enough to address issues such as these that are not popular. We have to be courageous enough to speak the truth even when someone isn’t interested in hearing it. And we have to be courageous enough to speak truth to power. If a CEO is engaged in questionable activities, or fraud, the CAE must summon the courage to alert the audit committee.
Are there other reasons internal auditors fail to speak up?
▣ ▣ Internal audit is still reluctant, in some instances, to take on risks that are outside of its comfort zone. For example, culture, cybersecurity, and blockchain technology are areas in which internal audit may not have a lot of expertise, so they are frequently neglected despite the risks they present to the organization. Internal audit’s mandate is to be risk-centric, not just risk-centric in the risks with which we’re comfortable.
Internal audit also has not made the kind of progress that organizations need in identifying emerging risks. We are still inclined to see the risks that lie immediately in front of us. If we don’t help our organizations anticipate risks that may lie beyond the line of sight, we’re likely to be ill-prepared to help them when those risks materialize.
You’ve talked a lot about expectation gaps with stakeholders over the years. Why does internal audit struggle to narrow those gaps?
▣ ▣ Throughout my career, I’ve witnessed how dynamic stakeholder expectations can be and how quickly they can pivot. In the early 2000s, there were some who thought internal audit needed to be consultants in their organizations — out there helping people better understand their own risks and problems.
Then came tbe U.S. Sarbanes-Oxley Act of 2002. And regulatory compliance risks associated with financial reporting controls rapidly became the priority of internal audit’s stakeholders. By 2005, according to a PwC survey that I led, 71 percent of internal auditors at publicly traded U.S. companies reported they were spending more than half of their time on Sarbanes-Oxley compliance. With the onset of the financial crisis in 2008, the risks that companies faced and internal audit stakeholder expectations changed quickly. Internal audit realigned its coverage to address new risks. By 2012, according to an IIA survey, the percentage of internal audit plans dedicated to Sarbanes-Oxley compliance had fallen to less than 15 percent while the combined percentage of coverage dedicated to operational and compliance risks surged to more than 40 percent. Stakeholder expectations are changing yet again, 10 years after the financial crisis.
Recent reports suggest that management and boards are looking for internal audit to focus on key risks beyond financial reporting and compliance. As KPMG recently observed, risks related to culture, incentive structures, cybersecurity, data privacy, global supply chain, and outsourcing, as well as environmental, social, and governance risks, can significantly impact share value. It remains to be seen how extensively and rapidly internal auditors will pivot to address these risks. However, I am confident that they will.
The greatest danger of an expectations gap occurs when there is a swift and sudden shift in the risks that an organization faces. There’s often a lag time between when a risk becomes critical for an organization and how quickly internal audit can address it. And it’s in that window where stakeholder expectations get ahead of internal audit. That’s why it is critical in 2019 and beyond for internal auditors to have the agility to change direction swiftly to keep pace with stakeholder expectations.
Where do you see internal audit in 10 years?
▣ ▣ If, in some respects, in the early 2000s internal audit fell back into the era of hindsight — looking at whether financial controls were appropriately designed and implemented — there’s been a much greater emphasis on insight in this last decade.
The decade ahead offers internal audit a great opportunity to continue to build on the way we serve organizations by also providing foresight. Being able to look at emerging risks, to look out further and identify what actions need to be taken, and to talk more about what risks may present themselves if certain actions aren’t taken provides tremendous value.
Internal audit also has a huge obligation — and opportunity — in the next decade to embrace the fourth industrial revolution — a new era that extends digital technologies in new and unanticipated ways. We are in an era where the volume and complexity of data dwarfs anything we’ve seen. It defies imagination in some ways. Internal audit has to recognize not only what that means in terms of the risks our organizations face, but also the approach we take to auditing them.
In the coming decade, artificial intelligence (AI) is going to become much more pervasive. I often get asked whether AI is a threat to the internal audit profession. It’s not a threat unless internal audit continues to do the things that we’ve always done. A lot of the activities that internal audit has historically done are susceptible to being replicated or done through AI. Hindsight is much easier for AI to do, for example, than foresight. As yet, however, AI cannot combine data, information, trends, rumors, breaking news, competitors’ actions, and even hallway gossip to formulate reasoned and rational suggestions of future developments and their associated risks and opportunities — foresight. We have the opportunity and the obligation to address AI and similar technological innovations not only from the standpoint of what the risks are to our organizations, but also in terms of how internal audit uses it. AI can be a great contributor to internal auditing. It can help us become more efficient and target our efforts and resources.
So how does the profession continue to grow?
▣ ▣ Internal audit is definitely on stronger footing than we were 20 years ago, or even 10 years ago. However, this profession, like all professions, should always be prepared to prove its worth. I don’t think we have any guarantees of what lies ahead for internal audit. We are a respected resource right now, and we will stay there as long as we recognize the responsibility that comes with it. Internal audit must always be prepared to lean forward and not rest on its laurels.
Recessions and swift economic downturns are very challenging for professional associations. As Richard Chambers puts it, “If other sectors catch a cold during a recession, not-for-profits catch the flu.” The impact of the 2008 financial crisis on The IIA was great. “One of the first things that companies cut if the economy turns very soft is training and travel dollars,” Chambers explains, “so the impact was swift and severe.”
Chambers says he knew when he became president and CEO in January 2009 that the financial challenges were going to necessitate downsizing to a leaner,
re-engineered Global Headquarters. He and the Global Board of Directors had to make some difficult calls. “We didn’t really have a lot of choices,” he recalls.
Navigating through the crisis required full involvement — from the Board, volunteers, and IIA staff. “Those early months of 2009 were really spent working collaboratively,” Chambers says. “One of the greatest achievements of The IIA in the past 10 years was those first few months when the staff came together.” The Institute put together action teams to look at opportunities to cut costs and to grow revenue. “It was a collaborative process that really exemplified the very best of who we are,” Chambers says. The board was “absolutely unwavering” in its support of the steps The IIA took, he adds.
In the ensuing months, The IIA discontinued some initiatives and refocused on serving its members. “We redefined what service meant,” Chambers says. “We began to look at the member value proposition.”
“Throughout this decade, we’ve continued to make great progress in serving the members,” Chambers adds. Membership continues to grow, and The IIA is poised to crest to 200,000 members worldwide.
The results of the last 10 years have allowed The IIA to make some extraordinary investments that Chambers says will become more evident to members over the next couple of years. “We’re making unprecedented investments in technology in support of the profession,” he notes.
The IIA takes a strategic view of its role in supporting the organization and in serving its members. Its strategic plans have served as the blueprints for supporting member expectations and meeting the needs of the profession. “The IIA has never been stronger,” Chambers says.
Image: Chambers says IIA Board support has been integral to The Institute’s success over the past decade. Chambers and Board chairs from the past 10 years recently gathered at The IIA’s Midyear meetings in Orlando, Fla. From left to right: J. Michael Peppers, Denny Beran, Günther Meggeneder, Phil Tarling, Richard Chambers, Patty Miller, Anton van Wyk, Naohiro Mouri, Larry Harrington, and Paul Sobel. (Not pictured: Angela Witzany and Rod Winters)