In 2015, an IIA task force composed of leading practitioners from around the world considered whether the 1999 Definition of Internal Auditing should be updated. The task force concluded that the definition remained an excellent description of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
However, the task force supplemented the definition with the Core Principles for the Professional Practice of Internal Auditing and the Mission of Internal Audit. These were a significant step forward in guiding internal audit functions around the world.
The task force wrote the Core Principles and Mission very carefully. Its intent was to make them concise as well as punchy and powerful. In addition to some important language, they contain magical words that carry great meaning.
The brief Mission, which is intended to be optional guidance for audit functions that wanted to create a mission statement for their own department, reads: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
Let’s break down that statement to show how internal audit can apply those words, especially the three magical words — assurance, advice, and insight — to help the organization achieve its objectives.
Enhance and Protect
Traditionally, internal audit has focused on assessing the design and operation of the controls that keep risks within desired boundaries. The emphasis has been on protecting the organization from harm. Internal auditors identify the things that might happen to impair the ability of the organization to achieve its objectives, commonly referred to as risks. They assess the level of those risks and determine whether management has an effective system of control in place that provides reasonable assurance that the risks are at acceptable levels.
But, the task force members believed that internal audit has the ability to help the organization not only protect, but enhance, value. For example, auditors can consider whether management has effective processes, systems, and controls to:
Hire outstanding individuals, even when the organization does not have open positions.
Internal controls not only provide assurance on managing or mitigating the downside, but they also enable seizing and optimizing the upside. In fact, internal controls surround the processes for making the decisions about which risks to take. They provide assurance that the right people are making important business decisions, based on timely and quality information — including input from others who might be affected — after weighing all the things that might happen, both harmful and beneficial.
The task force recognized that considering downside risks without the context of the potential reward is not a wise way to make decisions, run the business, and be successful. Internal audit needs to help management make informed and intelligent decisions, taking the right risks to achieve enterprise objectives.
The traditional internal audit risk assessment process involves prioritizing the organization’s business units, processes, and systems based on factors such as revenue, complexity, and history of control issues. Internal audit performs a second risk assessment before each audit engagement starts to identify the more significant risks to the specific business unit, process, or system. Those lower level risks become the scope for the audit.
For example, when I became the chief audit executive (CAE) at a large global manufacturing business, I inherited an annual risk assessment process that identified the locations that should be audited based on those traditional risk factors. One of those locations was the operation in Austin, Texas. In its planning for the audit, the team had identified information security, procurement, and accounting as the more significant areas of risk where they would test related controls.
I had only been with the company a week when I was given the draft audit report for Austin to review. The team had identified several issues that they assessed as significant, and after reviewing its work, I agreed. My problem was that the issues were only significant to operating management in Austin. They were not significant to senior management of the company. The audit had focused on risks to operations in Austin rather than risks to the enterprise.
I changed the audit planning process so the audit plan was designed to address the more significant sources of risk — and opportunity — to the organization’s objectives. We started with understanding those objectives, identifying the more significant sources of risk to achieving them. Then we determined what we should audit and where to obtain assurance that those enterprise risks were addressed appropriately.
One of the more significant sources of risk and opportunity was the company’s ability to source quality materials at a good price at its more than 150 plants around the world. The business operated with very low margins, and our ability to meet customer demands and make a profit depended heavily on the effectiveness of the procurement processes.
I designed an approach with multiple audit engagements. Three of my best people — the two leaders of my U.S. and Asia teams and our specialist in procurement and contract auditing — performed consecutive audits of some of our largest operations, in Bordeaux, France; Charlotte, N.C.; Penang, Malaysia; and Suzhou, China. They also looked at the global procurement department at our corporate headquarters in California, which negotiated global contracts with our primary vendors. Not only did they assess the design and operation of the procurement functions at each location individually, but they also considered how well they shared best practices and worked together.
We published one report with our assessment of our enterprise ability to source quality materials at a reasonable price. The report identified Penang as being world-class, with opportunities for the company if its practices were adopted by the other locations. We also shared individual assessments in reports to each of the locations’ management teams.
Instead of providing information that mattered to local management, we provided information that mattered to enterprise management. This is enterprise risk-based auditing.
The Mission of Internal Audit says internal audit provides “risk-based and objective assurance, advice, and insight.” While it is fairly clear what objective means, not everybody understands what the statement means by assurance.
Assurance, advice, and insight are magical words. They carry huge significance, and if internal auditors are able to optimize the quality of the assurance, advice, and insight they provide to leaders of the organization, they will be highly valued.
Assurance is much more than expressing an opinion on the adequacy of controls and detailing the controls that are less than effective. For example, when I asked my audit committee chairman how well internal audit was performing, he said we “helped him and the other board members sleep through the night.” We gave him assurance that he could rely on the company’s organization, systems, people, and processes to perform as management and the board needed. Any time there was a serious weakness that threatened the achievement of objectives, he knew we would not only find it but work with management to correct it.
Similarly, when I asked the CEO of the division that owned 6,000 convenience stores and gas stations for his assessment, he said, “We helped the organization stay efficient.” That was a critical need for him because this is a very low-margin business.
The highly effective CAE provides business leaders with the assurance they need that the more significant potential harms will be addressed and opportunities seized. The CAE shares his or her assessment of the systems of internal control and enterprise risk management that the organization relies on to manage the business and the things that might happen on the road to successfully achieving objectives.
In the previous example, the opinion statement in the audit report provided management with the assurance it needed relative to the organization’s ability to source materials and achieve cost-control objectives. But internal auditors do more.
Advice and Insight
Many internal auditors are uncomfortable sharing their advice, let alone their insight. They will recommend corrective actions for the control weaknesses they identify, but they are reluctant to go further. Yet, several of the task force members spoke eloquently about how the less formal advice they gave management in one-on-one meetings often was of greater value than what they were able to put in the formal report.
Internal auditors are professionals. Their position as objective observers of the organization and its processes enables them to obtain insights that, if shared with management, can be very valuable to them. When internal auditors combine their professional insights with their ability to give advice to management or the board, they are delivering great value to the organization.
Just as doctors and mechanics are entitled to their professional opinion, so are internal auditors. It is not necessary to have the level of proof that will stand up in court; auditors can rely on their experience and intelligence in forming their judgments and insights.
Sharing those insights in the form of advice is easier when management sees internal auditors as professionals and respects their objective assessments. In my experience, management will listen and thoughtfully consider that advice before making its own judgment and decision.
My experiences, which are similar to others in the task force, included:
I recall a meeting I had with a senior executive that went well over the allotted time. As we went to the door to leave for our respective meetings, I thanked him for his time and apologized for going over. He turned to me and told me not to apologize. Our meeting, when we had discussed at length the division’s operations and challenges, was one of the few times he was able to sit and think about the business rather than constantly fighting fires. He respected my insights, appreciated the way my questions made him think, and valued my advice.
Make a Difference
Business leaders welcome the assurance, advice, and insight that a respected professional, such as the CAE, can share about his or her operations. When we talk about what matters to them — their ability to succeed — they value:
Internal auditors should not restrict their work — their products and services — to assessing only the controls that protect value. They should provide the assurance, advice, and insight that leaders need, when they need it, on what matters to the success of the organization. That includes creating value as well as protecting it. Internal auditors are professionals with the ability to help management and the board succeed, and should not unnecessarily limit their ability to make a difference.