I recently spotted the headline “Is Internal Audit Losing Value?” in a respected business journal. It was for an article based on survey results in one of the multitude of white papers on the internal audit profession that come out around the first quarter each year. Researchers indicated that a greater number of managers are questioning whether they receive “significant value” from internal audit.
The survey found that 68 percent of board members believe internal audit adds “significant value,” while 65 percent believe it “performs well.”
Is there room for improvement? Absolutely. But, when I read headlines that suggest internal audit is perceived as providing less value, I am reminded of the favorite retort of ESPN sports broadcaster Lee Corso — “Not so fast, my friend!”
I am concerned — but not terribly surprised — that a gap in stakeholder expectations for internal audit has opened up in some organizations. Stakeholder expectations are always a moving target. Sometimes, the shifts are barely noticeable. Other times, they can be swift and seismic. The changes are often positive in the long run, but change can be painful until we have fully adapted to the new expectations.
Before 2001, leading internal audit departments were expanding their skills to include a widening variety of consulting projects, operational audits, control self-assessments, and other value-added engagements. Then came Sarbanes-Oxley in 2002.
A period of a year or two followed when many internal audit functions felt they didn’t have the tools to get the job done. It wasn’t that the profession had suddenly grown weak or less effective; the issue was a matter of the skill set necessary to address rapidly changing stakeholder needs. Having retooled extensively to address expectations in the late 1990s, many internal audit functions simply didn’t have the accounting expertise on staff to concentrate on financial reporting internal controls, which had suddenly become a critical concern of stakeholders.
Fortunately, the profession responded quickly and, ultimately, Sarbanes-Oxley ushered in a new appreciation for internal auditing. We adjusted staffing and training, and audit groups that adapted quickly tended to flourish. Our stakeholders came to understand and appreciate the important roles we could play regarding financial controls. Improved reporting relationships for internal audit, enhanced resources, and increasingly positive stakeholder surveys reflected strong levels of satisfaction.
We can serve our customers well only if we know what they want — and only if we give them what they want. Unfortunately, what they want is often in a state of flux.
Stakeholder needs didn’t stop evolving even as we redefined our roles and developed the requisite skills to deal with Sarbanes-Oxley. Many are again raising their expectations, especially in the area of risk and risk management. This shouldn’t catch us off guard. From its inception, internal auditing has gone through cycles in which the focus has shifted from accounting and financial issues to operational issues, then back again.
Management and boards understand that Sarbanes-Oxley is no longer the “all hands on deck” issue it was a decade ago, and they are looking to internal audit for help with new and more urgent priorities. To be sure, internal auditors understand that adequacy of internal controls over financial reporting is not the biggest risk facing the corporate sector in 2014.
But change does not come easy or quickly. We are going through a phase in which some internal audit functions may not have the skill sets needed to address the new risks/expectations, and stakeholders — particularly management — are beginning to question whether we are able to meet their latest needs.
It’s said that, if you wait for customers to tell you that you need to do something, you're too late. Good business leaders must be at least a half step ahead of what customers want — and good auditors need to be at least a half step ahead of management.
There is clearly a gap in meeting stakeholder expectations in many organizations. We would only be sticking our head in the sand to deny the scope of the problem. My advice to every chief audit executive (CAE) is to identify the gaps and forge a plan to swiftly address them.
A recent Pulse of the Profession survey by The IIA Audit Executive Center offers insights into which strategies CAEs deploy to assess stakeholder expectations:
- Ongoing informal discussions with the audit committee chair to assess expectations – 69 percent.
- Regular formal meetings with key stakeholders to assess expectations – 59 percent.
- Discussions with the full audit committee to assess collective expectations – 57 percent.
- Formal surveys of stakeholders to assess expectations/performance – 40 percent.
- Discussions with the full executive leadership/management team in the same room to assess collective expectations/performance – 26 percent.
Once you have a clear understanding of the gaps in internal audit’s ability to address expectations, you can work to address the gaps. The problem may be simply that internal audit is not focused on the key risks. This is why we must have robust discussions with management and the board during the risk assessment and audit planning processes. If skills are the problem, deploy creative sourcing and knowledge management strategies to embed the right capabilities in internal audit.
As the noted Danish philosopher Soren Kierkegaard once said, "All change is preceded by crisis.” I don’t believe that matters have reached crisis proportions where stakeholder expectations are concerned, but it is never too early for change.
What are some of the ways you ensure your stakeholder expectations are being met?