Are You Auditing Up the Wrong Tree?
July 22, 2013
One of the most important things internal auditors can do to meet stakeholder expectations is to ensure internal audit priorities align with those of the board and executive management. Risks that "keep our stakeholders up at night" also should be of concern to us.
If that sounds like common sense, consider that Thomson Reuters' survey of internal auditors, The State of Internal Audit 2013 (PDF), found that while internal auditors are focusing on assurance of internal processes and IT risk, boards are more interested in governance, strategy, and strategic-level risk management.
If your internal audit function is stuck in the past, you risk becoming irrelevant or missing the real risks to your organization. Where I come from we call that "barking up the wrong tree."
Misalignment is natural during times of rapid change. As the environment around us is changing, the internal audit function is undergoing one of the most dramatic periods of change in the history of the profession. Internal auditors are being asked to address more complex risks with fewer resources and under more intense scrutiny.
To survive and thrive in this environment, we need to step out of our comfort zones and into the more qualitative world of culture and governance. A robust dialogue with your stakeholders will not only allow you to zero in on their priorities, but it will also solidify stakeholder relations and help you avoid some of the pitfalls I discussed in my recent blog, Five Red Flags That Your Internal Audit Department May Be Losing Stakeholder Support.
So are you aligned? Ask yourself:
- Have I asked the stakeholders about their priorities? Two-way communication with the chief executive and audit committee is critical.
- Do we have the right skill set to meet those needs? Continuing education is key.
- Do we have sufficient resources? Once you know what you need to focus on and are sure you have the skills to provide assurance, you still need to have the resources to make sure you aren't being pulled in too many directions.
Assurance of internal controls will always be at the core of the internal audit function. But we need to expand our horizons and make sure our goals, skills, and resources are aligned with the growing demands on executive management and audit committees.
The recently updated Internal Control–Integrated Framework (PDF), published in May by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a good starting point. It expands on the original 1992 COSO framework to provide additional insights into governance, globalization, regulatory oversight, and other board-level concerns.
The IIA's new Certification in Risk Management Assurance curriculum is another good resource. In addition, The IIA Research Foundation recently added an entire volume on governance, risk management, and compliance to the 6th edition of Sawyer's Guide for Internal Auditors.
These resources should go a long way toward helping you with the "how" of aligning audit priorities. For the "what," I'd say the best source is going to be your audit committee and executive management — they know what keeps them up at night.
Are you auditing up the wrong tree? There's no way to know without asking.
That's my perspective. I'm sure most of you are dealing with this right now. I'd love to hear from you about ways you've achieved alignment.