Ten years ago, at the conclusion of my first year as The IIA’s CEO, I wrote a blog on the events that defined the 2000s for internal auditors. It is hard to believe that it is that time again! For internal auditors, the 2010s began with an increased focus on compliance around post-financial crisis regulations. This decade is coming to a close with a slew of new regulations aimed at protecting consumer data and privacy. To the casual observer, it might appear that regulatory compliance remains the driver of internal audit’s primary mission. However, this is not the case.
Advances in technology in the past 10 years have opened a new world of opportunities and threats for the organizations the profession serves. From increasingly sophisticated and brazen hacking that has reshaped cybersecurity to artificial intelligence that promises to disrupt the traditional workplace model, technology has redefined and reprioritized risk management like never before.
It is difficult to concisely explain just how dramatic the past decade was for the profession, because so many significant factors impacted us, including technology, climate change, increased regulation, globalization, macroeconomic volatility, geopolitical upheaval, and investor activism. Still, I hope to capture some of it by examining the top 10 headlines for internal auditing in the 2010s.
Dodd-Frank shines light on board oversight of risk management
The fallout from the financial crisis of 2008 led to passage of landmark legislation designed to protect against excessive risk-taking by financial institutions and to improve corporate governance. The Dodd–Frank Wall Street Reform and Consumer Protection Act, enacted in July 2010, overhauled U.S. financial regulation, created a consumer protection bureau and an agency to protect financial stability, and greatly expanded the role of the U.S. Federal Reserve.
Most significantly for internal audit, it created corporate governance and disclosure rules designed to promote increased accountability and regulate excessive risk-taking. The act and the subsequent rules generated through the U.S. Securities and Exchange Commission and the new Public Company Accounting Oversight Board put boards of directors on notice of their oversight responsibilities. No longer can boards simply passively acquiesce to management initiatives.
The U.S. Federal Reserve raises the bar for internal audit in big banks
In January 2013, the U.S. Federal Reserve issued new direction for banks with its Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing. This innocuous sounding statement carried a powerful message about the importance of a strong and effective internal audit function in financial service institutions. Indeed, the statement placed the Federal Reserve closer than any other regulator in the industry to endorsing or mandating The IIA's International Standards for the Professional Practice of Internal Auditing. The document's opening paragraph asserts:
"The Federal Reserve is providing this supplemental guidance to enhance regulated institutions' internal audit practices and to encourage them to adopt professional standards and other authoritative guidance, including those issued by The Institute of Internal Auditors."
The Federal Reserve’s guidance also signaled the regulator’s disdain for internal audit reporting administratively to the chief financial officer or other C-suite officials below the CEO. It signaled that internal audit should report administratively to the CEO, or the audit committee should explain why not.
COSO refreshes its internal control and enterprise risk management frameworks
In 2013 and 2017, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) board (on which I serve) released important updates to its two signature frameworks, which had become essential tools in creating effective internal control and understanding how risk is managed across organizations. The growing complexity of governance, risk, and control in a fast-moving world demanded frameworks that reflected and adapted to those changes.
Of significance, the updated internal control framework built on the original’s focus on designing, implementing, and evaluating the effectiveness of internal control. Meanwhile the ERM framework update helped to clarify just what effective ERM is and is not. From the ERM update:
Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.
NYSE gives a nod to the profession by inviting The IIA to ring the opening bell
In July 2016, I took great pride in joining The IIA’s past chairman and others in ringing the opening bell at the New York Stock Exchange (NYSE). It was a significant event in history for not just The IIA, but also for the profession. The NYSE, a longtime strategic friend and ally to internal audit, was once again acknowledging the importance and value of internal audit to publicly traded organizations. As I wrote at that time, The IIA ringing the opening bell at the NYSE should serve as a clarion call for all organizations — not just publicly traded companies — to commit to good governance and to embrace the tried-and-true tools and practices that make it possible.
The Chartered Institute of Internal Auditors issues Financial Services Code
The scrutiny of internal audit by financial services regulators was truly a global phenomenon in the past decade. In response to financial services regulators in the United Kingdom, the Chartered Institute of Internal Auditors published the Financial Services Code in July 2013. The code was “aimed at enhancing the overall effectiveness of Internal Audit, and its impact, within the firms operating in the financial services sector in the U.K.” It was produced by an independent committee established by The IIA, with representation and observers from leading banks, insurers, the Financial Conduct Authority, the Prudential Regulation Authority, and the Bank of England.
The code was reviewed and republished in September 2017 with only modest changes, and is serving as the forerunner for a soon-to-be-issued, more comprehensive Internal Audit Code of Practice, which will be applicable to the broader internal audit profession in the U.K.
Culture-induced corporate scandals pressure internal audit to raise its game
As I wrote just last week, corporate scandals emerged with embarrassing regularity in the 2010s. With each scandal the question of “Where were the internal auditors?” was brought up again and again.
While I’ve made clear that the blame for scandal rarely lies solely with internal audit, the silver lining in the string of corporate governance failures is the growing recognition that culture was often at the core of the scandal and that internal audit has a role to play in assessing culture.
Many inside and outside the profession expressed doubts about internal audit’s ability to audit culture effectively, but we have made great progress. The recent release of a new IIA Practice Guide on Auditing Culture reflects that growth.
The IIA launches the CRMA
In 2013, The IIA began offering the Certification in Risk Management Assurance (CRMA) to allow internal auditors to demonstrate their ability to provide advice and assurance. Since then, nearly 16,000 practitioners have earned that designation.
High demand for the CRMA, second only to The IIA’s Certified Internal Auditor designation, reflects the importance of providing assurance on the effectiveness of key risk management and governance processes. In today’s dynamic risk environment, having a CRMA certified professional on staff provides internal audit’s stakeholders in the C-suite and the boardroom comfort in knowing they have a trusted advisor in their corner.
Cyber breaches put CAEs in the crosshairs
I am comfortable asserting that no single development in the past decade caused more disruption to organizations and the profession than cyber breaches. The omnipresent specter of cyberattacks and near constant media coverage of major cyber breaches exposed vulnerabilities in IT systems, data management, data protection, employee training, corporate governance, and more.
Caught up in that onslaught are chief audit executives (CAEs) who are under incredible pressure to develop and deploy staff that can successfully support their organizations’ cybersecurity strategies. The demand for such assurance is creating significant competition to hire and retain auditors with the requisite IT skills.
Unfair as it may be, highly publicized cyber breaches in large organizations have toppled more than a few talented CAEs. My advice: Don’t just provide assurance on cyber controls; also provide assurance on the organization’s readiness to respond when the inevitable cyber breaches occur.
The IIA articulates principles for internal audit
The 2017 update to the International Professional Practices Framework included the addition of the Core Principles for the Professional Practice of Internal Auditing. This change was more than just an addition or update to the profession’s guidelines. The 10 principles articulate the fundamental beliefs that drive our profession and our practitioners.
These guideposts will help practitioners remain centered on the core philosophies of internal auditing even as technology, climate, geopolitics, macroeconomics, and social norms change the world around us.
Global media interest in internal audit soars
The past decade saw significant coverage of the internal audit profession, and most of it was in a positive light. Finally, major media institutions such as The Wall Street Journal, Financial Times, Bloomberg, Fortune, and Forbes are expanding their understanding and appreciation of the independent assurance internal audit provides organizations.
This is particularly noteworthy as media, regulators, investors, and the public in general are demanding increased transparency and accountability from boards and the C-suite. There is growing recognition that failed corporate governance is at the heart of many corporate scandals, and that sound corporate governance helps organizations manage risk, supports long-term sustainability, and ultimately benefits the public good. The IIA has positioned the profession well to leverage this growing appreciation.
Media interest in internal audit is not limited to the United States or other highly developed markets. During a recent trip to Central Africa, I was surrounded by media at every stop. The top question on their mind: How can internal audit help prevent and detect corruption in public institutions?
In the coming decade The IIA will make a strong case that internal audit is fundamental to sound corporate governance. I look forward to the challenges and successes the 2020s will hold as we move toward meeting our 2030 vision of having the profession universally recognized as indispensable to effective governance, risk management, and control.