U.S. President Donald Trump has taken the world by storm. From tough talk and bold action on immigration and trade to media skirmishes and promises to dismantle the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Trump administration has served notice it plans to shake things up.
Trump's promises to drastically roll back regulations, renegotiate trade deals, and more are creating unease about their implications for internal auditors. But before we can pass judgment on whether the Trump era will be good or bad for internal auditing, we should take a step back and assess a number of factors.
First, we cannot yet predict the level of deregulation that the administration will achieve, how quickly it will happen, or its impact on the audit plan. While there appears to be support in Congress for scaling back some regulations on energy production and some Dodd-Frank requirements, just how it will play out in day-to-day compliance remains to be seen.
Last week, Trump signed an executive order directing federal agencies to create regulatory reform task forces and told members of the Conservative Political Action Conference he wants to slash 75 percent of regulations.
Yet, Trump's first action to cut regulations will have a negligible effect on the internal audit workload. That legislation eliminated a Dodd-Frank-mandated Securities and Exchange Commission rule that would have required energy and mining companies to disclose payments to foreign governments. However, that rule had yet to be implemented.
This won't always be the case, of course. If existing regulatory requirements ultimately are reduced or eliminated, it will be tempting for internal audit's stakeholders to consider scaling back some of the resources dedicated to the third line of defense. However, it will be important to remind stakeholders that the risks any rescinded regulations were designed to mitigate still remain. Now is the time to promote internal auditing as being both necessary to assessing risk mitigation where regulations once did, and to making sure resources are allocated based solely on risk.
Secondly, we should offer our stakeholders an accurate picture of just how much — or how little — compliance risks make up in the average audit plan. Across all sectors, the typical U.S. internal audit plan for 2017 allots a relatively small percentage of resources for coverage of compliance risks. Indeed, internal audit's scope of work beyond compliance is expanding like never before, driven by a comprehensive portfolio of noncompliance risks, including operational and cybersecurity risks, as well as overall assessments of strategic risk management.
The 2017 North American Pulse of Internal Audit survey offers an up-to-date picture of just how the average audit plan breaks down. Operational risks account for the largest risk category (19 percent), followed by financial reporting risks (14 percent), then compliance/regulatory risks (13 percent), according to the survey of 535 chief audit executives across all organization types.
A second Pulse survey question asked about allocation of audit effort based on broad categories. That found that strategic goals and routine operations account for the largest shares — both at 36 percent — with regulatory compliance making up 17 percent of activities.
Despite the unknowns, the prospect of deregulation is generating some troubling actions. Some consulting firms already are recommending that their corporate clients reduce compliance resources in anticipation of administration and congressional action. As internal auditors, we should not be asleep at the wheel while these so-called "management consultants" offer recommendations for sweeping reductions in risk and control functions (including internal audit) in our organizations. Those who embrace these recommendations on a wholesale basis are longing for a past not only free of cumbersome regulations, but also free of the controls that mitigate the corresponding risks. As the noted Spanish philosopher, George Santayana, warned, "Those who cannot remember the past are condemned to repeat it."
Stakeholders should carefully consider how to allocate internal audit resources "freed up" in a lower regulatory environment. Instead of viewing it as a potential windfall, they should work with internal audit to determine whether those resources should be redirected to the most lethal risks facing the organization. It wasn't that long ago that organizations howled about U.S. Sarbanes-Oxley Act of 2002 and Dodd-Frank regulations diverting internal audit resources from other, potentially more pressing, risks.
Finally, I want to point out that the rise of internal audit's value within organizations has not necessarily coincided with the rise of regulation. Increasingly, our stakeholders recognize that internal audit's focus should be on how the organization is managing risk, and it bears repeating that audit plans should be based solely on organizational risk. In fact, it is our obligation, as Performance Standard 2010 on planning clearly states, "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity consistent with the organization's goals."
It is easy to pigeonhole internal audit into one's perception of the function — compliance assurance provider, financial reporting assurance provider, fraud detector, etc. But misperceptions that limit internal audit's scope can lead to wrong conclusions on what changes in the world will mean for the organization and the function. This would be ill advised at a time in history where the speed of change and, in turn, the speed of risk, are at their highest.
At this point, there are too many variables and unknowns to try to gauge with any certainty how the profession will fare under Trump or any other leader for that matter. As always, internal auditors should encourage stakeholders to develop audit plans that are risk-based and flexible, be prepared to address changes in the risk landscape, and be nimble and versatile enough to act quickly and efficiently.
In my travels as IIA President and CEO, I am often asked to paint a picture of the future of internal auditing. My practice is to identify and examine the factors and forces that drive the profession and help it evolve. But I stress that risk is dynamic and unpredictable. We simply can't predict or control the future.
Internal auditing should instead prepare for the future by communicating honestly and frequently with our stakeholders, constantly examining and updating our processes to remain effective and efficient, and making sure we manage our talent to address evolving risks and serve changing stakeholder needs.
As always, I welcome your comments.